Is Lightshot (screenshot tool) safe?
This security report analyses whether Lightshot (screenshot tool) is safe to install on your browser. We check Lightshot (screenshot tool) for malicious behaviour, data exfiltration, suspicious permissions, and known vulnerabilities so you can decide if Lightshot (screenshot tool) is safe for your personal or enterprise fleet.
Legitimate screenshot tool that transmits platform metadata (OS/architecture) to api.prntscr.com without explicit disclosure; holds broader cookie permission than needed for its stated functionality.
AI-generated. Findings may contain errors. Those marked Verified have been manually reviewed.
Publishers can request a review.
Findings
Platform OS and CPU architecture transmitted to api.prntscr.com during account linking without disclosure
sw.js:45 calls chrome.runtime.getPlatformInfo() and formats result as '{os} {arch}' string. This is sent as app_description parameter in a POST to api.prntscr.com JSON-RPC method 'attach_extension' alongside auth token and app_id. Triggered on first upload or when cached __auth cookie differs from current value. Not described in store listing.
cookies permission declared with *://*/* host permissions broader than necessary
manifest.json declares cookies permission with host_permissions *://*/*, granting ability to read/write/delete cookies for any website. Code at sw.js:33 only calls chrome.cookies.get with url 'https://api.prntscr.com/v1.1/' to read __auth cookie. A narrower host permission of *://*.prntscr.com/* would suffice.
Authentication cookie value cached in chrome.storage.local
sw.js:33 reads __auth cookie from api.prntscr.com and stores its value in chrome.storage.local under key 'last_used_cookie'. The cached value is compared against live cookie on subsequent uploads to detect session changes. Creates a cleartext copy of the authentication token in extension-accessible storage.