Is File System Access safe to use?

File System Access has a security risk score of 66.85/100 (HIGH risk). Our security analysis detected 202 findings. Review the detailed security assessment below to understand the specific risks before installation.

What are the security risks of File System Access?

Based on our automated security analysis, File System Access presents high risk level. The extension is analyzed for malware patterns, secret exposure, network communications, permissions, and supply chain vulnerabilities.

How is the security score calculated?

Risky Plugins calculates security scores using weighted categories: severity of findings (25 points max), malware detections (35 points), secret exposure (28 points), network communications (10 points), and obfuscation (10 points). Scores range from 0-100, with higher scores indicating greater risk.

What does CRITICAL, HIGH, MEDIUM, LOW, MINIMAL risk mean?

CRITICAL (80-100): Severe security issues like malware. HIGH (60-79): Significant vulnerabilities. MEDIUM (40-59): Moderate security concerns. LOW (20-39): Minor issues. MINIMAL (0-19): Very low risk. Always review findings before installing any extension.

Is "File System Access" on Firefox Add-ons Safe to Install?

Name: File System Access
Availability: InStock
Rating: 3.3333 (3 reviews)
Author: sycxyc

sycxyc · firefox · v0.9.4

Risk Assessment

Analyzed

66.85

out of 100

HIGH

202 security findings detected across all analyzers

Firefox extension requesting 4 permissions

Severity Breakdown

Critical

High

126

Medium

Low

Info

Finding Categories

Malware Signatures

Network

121

IoC Indicators

YARA Rules Matched

11 rules(76 hits)

postinstall system command postinstall file manipulation postinstall network communication NoUseWeakRandom postinstall file download AlertStatementsShouldNotBeUsed postinstall obfuscation postinstall persistence mechanism postinstall crypto operations postinstall environment access credential env files

Requested Permissions

4 permissions

nativeMessaging

Exchange messages with programs outside the browser

Dangerous

<all_urls>

Access and modify data on every website you visit

Dangerous

storage

Low

webNavigation

Low

About This Extension

This extension brings the File System Access API to Firefox that helps web apps such as https://vscode.dev read and write local files and folders. Main features: * Implemented showOpenFilePicker, showDirectoryPicker, showSaveFilePicker functions and related interfaces. * Set to enable specific File System Access features on matching web pages. * Provides File System Access API for other compatible WebExtensions. Notes: * <b>The local file operations required by this extension cannot be performed in the browser, and a <a href="https://prod.outgoing.prod.webservices.mozgcp.net/v1/8c0e93e7ff25738aeeb97c29cbedb7b094d52c7950959184f2abdcf15c741f32/https%3A//github.com/ichaoX/ext-file/releases" rel="nofollow">helper app</a> needs to be installed to assist in the related work.</b> * The optional Code Editor feature is provided by the <a href="https://addons.mozilla.org/firefox/addon/code-editor/" rel="nofollow">Code Editor</a> extension. Limitations: * By default, <code>FileSystemHandle</code> will lose its instance methods after cloning (e.g. using <code>IndexedDB</code> or <code>postMessage</code>), and requires additional configuration of the <code>FS_CONFIG.CLONE_ENABLED</code>. Web developers can use <code>__FILE_SYSTEM_TOOLS__.parseHandle(handle)</code> to restore the instance methods. * Limited Worker context support and requires additional configuration of the <code>FS_CONFIG.WORKER_ENABLED</code>. * Read file size is limited by the <code>FS_CONFIG.FILE_SIZE_LIMIT</code>. Web developers can read large file streams and slices with <code>handle.getFile({ _allowNonNative: true })</code>, and write large file in-place with <code>handle.createWritable({ _inPlace: true, keepExistingData: true })</code>. * <code>DataTransferItem.prototype.getAsFileSystemHandle</code> is not implemented. This extension is open source and you can file bug reports or feature requests on the <a href="https://prod.outgoing.prod.webservices.mozgcp.net/v1/e34336bdabb44d27d3a561579149cafa24e24cf09039fb792cc98787af6a4a52/https%3A//github.com/ichaoX/ext-file/issues" rel="nofollow">GitHub issue</a>. References: * <a href="https://prod.outgoing.prod.webservices.mozgcp.net/v1/7d8a382ffb9084931279c4b98be0561b9aaec8f257aba5a5ca4c7c0ec6a47f6b/https%3A//wicg.github.io/file-system-access/" rel="nofollow">https://wicg.github.io/file-system-access/</a>

Detailed Findings

81 total

YARA Rule Matches

11 rules

Indicators of Compromise

Network indicators, suspicious strings, and potential IoCs extracted during analysis

URLs

IP Addresses

Domains

Strings

121

All Indicators · 121

Domain

detected Domain: names.map

XIOC detected Domain: names.map

extracted_from_files

detected IP: a::af

XIOC detected IP: a::af

extracted_from_files

Domain

detected Domain: self.open

XIOC detected Domain: self.open

extracted_from_files

Domain

detected Domain: prompt.id

XIOC detected Domain: prompt.id

extracted_from_files

Domain

detected Domain: prompt.sender.tab

XIOC detected Domain: prompt.sender.tab

extracted_from_files

Other

detected Email: [email protected]

XIOC detected Email: [email protected]

extracted_from_files

Other

detected Email: [email protected]

XIOC detected Email: [email protected]

extracted_from_files

URL

detected URL: http://addons.mozilla.org/ca/crl.pem0N

XIOC detected URL: http://addons.mozilla.org/ca/crl.pem0N

extracted_from_files

URL

detected URL: https://github.com/ichaoX/ext-file/issues

XIOC detected URL: https://github.com/ichaoX/ext-file/issues

extracted_from_files

URL

detected URL: https://github.com/ichaoX/ext-file

XIOC detected URL: https://github.com/ichaoX/ext-file

extracted_from_files

URL

detected URL: https://vscode.dev

XIOC detected URL: https://vscode.dev

extracted_from_files

Domain

detected Domain: foreach.call

XIOC detected Domain: foreach.call

extracted_from_files

Domain

detected Domain: entry.target

XIOC detected Domain: entry.target

extracted_from_files

Domain

detected Domain: rect.top

XIOC detected Domain: rect.top

extracted_from_files

Domain

detected Domain: mode.read

XIOC detected Domain: mode.read

extracted_from_files

Domain

detected Domain: details.world

XIOC detected Domain: details.world

extracted_from_files

Domain

detected Domain: func.call

XIOC detected Domain: func.call

extracted_from_files

Domain

detected Domain: r.data

XIOC detected Domain: r.data

extracted_from_files

Domain

detected Domain: vscode.dev

XIOC detected Domain: vscode.dev

extracted_from_files

Domain

detected Domain: browser.storage

XIOC detected Domain: browser.storage

extracted_from_files

Domain

detected Domain: wicg.github.io

XIOC detected Domain: wicg.github.io

extracted_from_files

Domain

detected Domain: developer.mozilla.org

XIOC detected Domain: developer.mozilla.org

extracted_from_files

Domain

detected Domain: event.id

XIOC detected Domain: event.id

extracted_from_files

Domain

detected Domain: context.id

XIOC detected Domain: context.id

extracted_from_files

Domain

detected Domain: onreadystatechange.call

XIOC detected Domain: onreadystatechange.call

extracted_from_files

Domain

detected Domain: message.id

XIOC detected Domain: message.id

extracted_from_files

Domain

detected Domain: result.id

XIOC detected Domain: result.id

extracted_from_files

Domain

detected Domain: e.data

XIOC detected Domain: e.data

extracted_from_files

Domain

detected Domain: details.map

XIOC detected Domain: details.map

extracted_from_files

Domain

detected Domain: filehandle.name

XIOC detected Domain: filehandle.name

extracted_from_files

Domain

detected Domain: dirhandle.name

XIOC detected Domain: dirhandle.name

extracted_from_files

Domain

detected Domain: signingca1.addons.mozilla.org

XIOC detected Domain: signingca1.addons.mozilla.org

extracted_from_files

Domain

detected Domain: event.target

XIOC detected Domain: event.target

extracted_from_files

Domain

detected Domain: writeable.seek

XIOC detected Domain: writeable.seek

extracted_from_files

Domain

detected Domain: context.events

XIOC detected Domain: context.events

extracted_from_files

Domain

detected Domain: run.call

XIOC detected Domain: run.call

extracted_from_files

Domain

detected Domain: p.id

XIOC detected Domain: p.id

extracted_from_files

Domain

detected Domain: path.map

XIOC detected Domain: path.map

extracted_from_files

Domain

detected Domain: paths.map

XIOC detected Domain: paths.map

extracted_from_files

Domain

detected Domain: browser.pageaction.show

XIOC detected Domain: browser.pageaction.show

extracted_from_files

Domain

detected Domain: tabinfo.id

XIOC detected Domain: tabinfo.id

extracted_from_files

Domain

detected Domain: result.data

XIOC detected Domain: result.data

extracted_from_files

Domain

detected Domain: input.name

XIOC detected Domain: input.name

extracted_from_files

Domain

detected Domain: options.id

XIOC detected Domain: options.id

extracted_from_files

Domain

detected Domain: response1.data

XIOC detected Domain: response1.data

extracted_from_files

Domain

detected Domain: self.name

XIOC detected Domain: self.name

extracted_from_files

URL

detected URL: https://wicg.github.io/file-system-access/

XIOC detected URL: https://wicg.github.io/file-system-access/

extracted_from_files

Domain

detected Domain: browser.runtime.id

XIOC detected Domain: browser.runtime.id

extracted_from_files

Domain

detected Domain: console.info

XIOC detected Domain: console.info

extracted_from_files

Domain

detected Domain: this.parts

XIOC detected Domain: this.parts

extracted_from_files

Domain

detected Domain: response.next

XIOC detected Domain: response.next

extracted_from_files

Domain

detected Domain: m.data

XIOC detected Domain: m.data

extracted_from_files

Domain

detected Domain: m.id

XIOC detected Domain: m.id

extracted_from_files

Domain

detected Domain: message.data

XIOC detected Domain: message.data

extracted_from_files

Domain

detected Domain: sender.tab

XIOC detected Domain: sender.tab

extracted_from_files

Domain

detected Domain: sender.tab.id

XIOC detected Domain: sender.tab.id

extracted_from_files

Domain

detected Domain: event.data

XIOC detected Domain: event.data

extracted_from_files

URL

detected Domain: urls.map

XIOC detected Domain: urls.map

extracted_from_files

Domain

detected Domain: response.id

XIOC detected Domain: response.id

extracted_from_files

Domain

detected Domain: messagedata.events

XIOC detected Domain: messagedata.events

extracted_from_files

Domain

detected Domain: fsa-host.py

XIOC detected Domain: fsa-host.py

extracted_from_files

Domain

detected Domain: webext.fsa.app

XIOC detected Domain: webext.fsa.app

extracted_from_files

Domain

detected Domain: this.data.settings.app

XIOC detected Domain: this.data.settings.app

extracted_from_files

Domain

detected Domain: blob.stream

XIOC detected Domain: blob.stream

extracted_from_files

Domain

detected Domain: path.name

XIOC detected Domain: path.name

extracted_from_files

Domain

detected Domain: cpath.name

XIOC detected Domain: cpath.name

extracted_from_files

Domain

detected Domain: fs.read

XIOC detected Domain: fs.read

extracted_from_files

Domain

detected Domain: data.id

XIOC detected Domain: data.id

extracted_from_files

Domain

detected Domain: options.data

XIOC detected Domain: options.data

extracted_from_files

Domain

detected Domain: response.data

XIOC detected Domain: response.data

extracted_from_files

Domain

detected Domain: filesystemhandlekindenum.directory

XIOC detected Domain: filesystemhandlekindenum.directory

extracted_from_files

Domain

detected Domain: this.name

XIOC detected Domain: this.name

extracted_from_files

Domain

detected Domain: fs.mv

XIOC detected Domain: fs.mv

extracted_from_files

Domain

detected Domain: meta.name

XIOC detected Domain: meta.name

extracted_from_files

Domain

detected Domain: gen.next

XIOC detected Domain: gen.next

extracted_from_files

Domain

detected Domain: handle.name

XIOC detected Domain: handle.name

extracted_from_files

Domain

detected Domain: e.name

XIOC detected Domain: e.name

extracted_from_files

Domain

detected Domain: date.now

XIOC detected Domain: date.now

extracted_from_files

Domain

detected Domain: fn.call

XIOC detected Domain: fn.call

extracted_from_files

Domain

detected Domain: filesystemwritablefilestream.seek

XIOC detected Domain: filesystemwritablefilestream.seek

extracted_from_files

Domain

detected Domain: writecommandtypeenum.seek

XIOC detected Domain: writecommandtypeenum.seek

extracted_from_files

Domain

detected Domain: object.prototype.tostring.call

XIOC detected Domain: object.prototype.tostring.call

extracted_from_files

Domain

detected Domain: sender.id

XIOC detected Domain: sender.id

extracted_from_files

Domain

detected Domain: data.app

XIOC detected Domain: data.app

extracted_from_files

Domain

detected Domain: result.app

XIOC detected Domain: result.app

extracted_from_files

Domain

detected Domain: mozilla.com

XIOC detected Domain: mozilla.com

extracted_from_files

Domain

detected Domain: addons.mozilla.org

XIOC detected Domain: addons.mozilla.org

extracted_from_files

Domain

detected Domain: content-signature.mozilla.org

XIOC detected Domain: content-signature.mozilla.org

extracted_from_files

Domain

detected Domain: example.com

XIOC detected Domain: example.com

extracted_from_files

Domain

detected Domain: tb141a458b570ce00439f547a85ad915a.c049658f6f513ed9722664f56547149d.addons.mozilla.org

XIOC detected Domain: tb141a458b570ce00439f547a85ad915a.c049658f6f513ed9722664f56547149d.addons.mozilla.org

extracted_from_files

Domain

detected Domain: github.com

XIOC detected Domain: github.com

extracted_from_files

detected IP: ::af

XIOC detected IP: ::af

extracted_from_files

Domain

detected Domain: list-item.directory

XIOC detected Domain: list-item.directory

extracted_from_files

detected IP: ::bef

XIOC detected IP: ::bef

extracted_from_files

detected IP: e::af

XIOC detected IP: e::af

extracted_from_files

detected Domain: helper-app-lite-macos.zip

XIOC detected Domain: helper-app-lite-macos.zip

extracted_from_files

detected Domain: helper-app-lite-windows.zip

XIOC detected Domain: helper-app-lite-windows.zip

extracted_from_files

detected Domain: helper-app-lite-linux.zip

XIOC detected Domain: helper-app-lite-linux.zip

extracted_from_files

URL

detected URL: https://addons.mozilla.org/en-US/firefox/addon/file-system-access/)

XIOC detected URL: https://addons.mozilla.org/en-US/firefox/addon/file-system-access/)

extracted_from_files

URL

detected URL: https://github.com/whatwg/fs/pull/9

XIOC detected URL: https://github.com/whatwg/fs/pull/9

extracted_from_files

URL

detected URL: https://github.com/whatwg/fs/pull/10

XIOC detected URL: https://github.com/whatwg/fs/pull/10

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Web/JavaScript

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Web/JavaScript

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Grammar_and_types#declarations

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Grammar_and_types#declarations

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON#javascript_and_json_differences

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON#javascript_and_json_differences

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts/register#parameters

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/contentScripts/register#parameters

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests#manifest_location

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Native_manifests#manifest_location

extracted_from_files

URL

detected URL: https://github.com/ichaoX/ext-file/releases

XIOC detected URL: https://github.com/ichaoX/ext-file/releases

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API#worker_global_contexts_and_functions

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API#worker_global_contexts_and_functions

extracted_from_files

URL

detected URL: http://example.com/RegisteredContentScriptOptions.json

XIOC detected URL: http://example.com/RegisteredContentScriptOptions.json

extracted_from_files

URL

detected URL: http://example.com/ExtensionFileOrCode.json

XIOC detected URL: http://example.com/ExtensionFileOrCode.json

extracted_from_files

URL

detected URL: http://example.com/array_string.json

XIOC detected URL: http://example.com/array_string.json

extracted_from_files

URL

detected URL: https://addons.mozilla.org/en-US/firefox/addon/code-editor/

XIOC detected URL: https://addons.mozilla.org/en-US/firefox/addon/code-editor/

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Web/API/File

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Web/API/File

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Web/API/Worker

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Web/API/Worker

extracted_from_files

URL

detected URL: https://developer.mozilla.org/en-US/docs/Web/API/File_System_API

XIOC detected URL: https://developer.mozilla.org/en-US/docs/Web/API/File_System_API

extracted_from_files

Hash

detected MD5 Hash: c049658f6f513ed9722664f56547149d

XIOC detected MD5 Hash: c049658f6f513ed9722664f56547149d

extracted_from_files

detected IP: 127.0.0.1

XIOC detected IP: 127.0.0.1

extracted_from_files

Domain

detected Domain: save.click

XIOC detected Domain: save.click

extracted_from_files

Domain

detected Domain: data.data

XIOC detected Domain: data.data

extracted_from_files

Domain

detected Domain: filesystempermissionmodeenum.read

XIOC detected Domain: filesystempermissionmodeenum.read

extracted_from_files

Domain

detected Domain: dirhandle0.name

XIOC detected Domain: dirhandle0.name

extracted_from_files

Security Analysis Summary

Security Analysis Overview

File System Access is a Firefox Add-ons extension published by sycxyc. Version 0.9.4 has been analyzed by the Risky Plugins security platform, receiving a risk score of 66.85/100 (HIGH risk) based on 202 security findings.

Risk Assessment

This extension presents high security risk. Significant concerns were identified during analysis. It is not recommended for use in sensitive or production environments without thorough review.

Findings Breakdown

High: 76 finding(s)
Medium: 126 finding(s)

What Was Analyzed

The security assessment covers multiple analysis categories:

Malware Detection: YARA rule matching against 2,400+ malware signatures
Secret Detection: Scanning for exposed API keys, tokens, and credentials
Static Analysis: Code-level security analysis for common vulnerability patterns
Network Analysis: Detection of suspicious network communications and endpoints
Obfuscation Detection: Identification of code obfuscation techniques

Developer Information

File System Access is published by sycxyc on the Firefox Add-ons marketplace. The extension has approximately 132 users.

Recommendation

This extension is not recommended for installation without thorough manual review. Consider alternatives with lower risk scores, or contact the developer to address the identified security concerns.

Source Code Viewer

Source Code Not Available

Source code is not available for this version of the extension.

Frequently Asked Questions

Similar Extensions

Related extensions from the same publisher or marketplace

Code Editor

sycxyc

CRITICAL 640 users

WebRequest Rules

sycxyc

CRITICAL 138 users

File System Access

sycxyc

CRITICAL 99 users

WebRequest Rules

sycxyc

CRITICAL 125 users

Text Fragment

sycxyc

HIGH 994 users

Text Fragment

sycxyc

HIGH 977 users

Risk Assessment

Severity Breakdown

Finding Categories

YARA Rules Matched

Requested Permissions

About This Extension

Detailed Findings

MANIFEST-SENSITIVE-PERM-NATIVEMESSAGING

MANIFEST-SENSITIVE-PERM-<ALL_URLS>

NET-FETCH-lib/util.js-56

NET-FETCH-lib/api/fs.js-1318

NET-FETCH-assets/file-system-access.js-1347

YARA Rule Matches

postinstall system command

postinstall file manipulation

postinstall network communication

NoUseWeakRandom

postinstall file download

AlertStatementsShouldNotBeUsed

postinstall obfuscation

postinstall persistence mechanism

postinstall crypto operations

postinstall environment access

credential env files

Indicators of Compromise

All Indicators · 121

Security Analysis Summary

Security Analysis Overview

Risk Assessment

Findings Breakdown

What Was Analyzed

Developer Information

Recommendation

Frequently Asked Questions

Similar Extensions

Code Editor

WebRequest Rules

File System Access

WebRequest Rules

Text Fragment

Text Fragment