Google Workspace vs Am I Being Pwned
Triaging Browser Extensions in Google Workspace
Google Workspace has strong extension controls but shows third-party permission scores, not its own verdict. Here's how to triage Chrome extensions with behavioural evidence.
Does Google Workspace assess browser extension risk?
Google's Chrome Enterprise Core (formerly Chrome Browser Cloud Management) gives admins the best native extension controls of any platform here - a full first-party inventory, and enforcement by extension ID, by requested permission, by URL, plus force-install and an approval workflow. What it does not give you is Google's own risk assessment. The risk scores shown in the console come from third parties: Spin.AI, CRXcavator and LayerX. Google surfaces them; it doesn't compute them.
So the native Workspace answer to 'is this extension dangerous?' is either a third-party permission-based score or Chrome Web Store review - and Google's own docs acknowledge extensions 'can still temporarily bypass detection or change behavior after publication'. Store review is publish-time curation, not a per-tenant fleet verdict.
Am I Being Pwned plugs straight into that model. One Google sign-in scans every extension in your Workspace, reading and running each one to see what it really does, and ranks them by that behaviour rather than a resold permission score. Then you enforce the result through the same Chrome policies you already control.
What Google Workspace gives you
- A complete first-party inventory of extensions across managed Chrome, with install counts and per-extension detail
- Third-party risk scores (Spin.AI, CRXcavator, LayerX) surfaced directly in the admin console
- The strongest native enforcement here: block by ID, by permission, by URL, force-install, and default-deny
- An extension approval workflow so users can request installs and admins can vet them
- Chrome Web Store review at publish time (automated scanning plus selective manual review)
Where it stops
- Google computes no risk score of its own - the console shows third-party scores instead
- Extensions on your fleet get no behavioural or code analysis
- There's no verdict - you get permissions plus an embedded third-party number
- Store review runs only at publish time, and Google notes extensions can change behaviour afterwards
- What installed extensions actually do is never re-scanned
Google Workspace vs Am I Being Pwned
How to triage browser extensions in Google Workspace
Chrome Enterprise gives you great controls and a borrowed risk score. Here's how to add the missing piece - a verdict based on what the code actually does.
- 1
Pull the extension inventory from Chrome Enterprise Core
In the Admin console, open the Chrome extension usage and reporting view for a full list of what's installed across your managed browsers, with permissions and install counts.
- 2
Treat the embedded score as a third-party opinion
The risk number next to each extension comes from Spin.AI, CRXcavator or LayerX, and it's permission-based. Our analysis of 2,534 extensions found permission-derived scores had no meaningful correlation with real risk - so don't stop there.
- 3
Scan the whole Workspace behaviourally
One Google sign-in lets Am I Being Pwned rank every extension in your Workspace by what its code actually does, and emails you the report. This is the analysis Google doesn't perform itself.
- 4
Enforce through Chrome policy
Chrome Enterprise has the strongest native enforcement here - block by ID or by permission, force-install approved extensions, or default-deny. Feed the behavioural verdicts into those policies.
- 5
Keep scanning after approval
Store review runs at publish time and extensions can change behaviour later. Continuous re-scanning flags an approved extension that turns malicious in an update.
From our published research
“Permissions describe what an extension is allowed to do. They say nothing about what it does.”
Why Permission Scoring Fails
Why a borrowed permission score isn't a verdict.
“Spin AI scored Stylish as 33 (low risk). We scored it critical.”
Why Permission Scoring Fails
Chrome surfaces Spin.AI scores; here is one on a 2M-user data harvester.
“Spin AI scored it 51 (medium risk) - higher than Stylish, higher than Coupert, roughly the same as the extensions we observed collecting data.”
Why Permission Scoring Fails
The third-party score Chrome shows, rating trusted uBlock Origin as risky.
Frequently asked questions
Does Google Workspace give browser extensions a risk score?
Not one Google calculates. Chrome Enterprise Core surfaces third-party risk scores from Spin.AI, CRXcavator and LayerX directly in the admin console. Google's own contribution is Chrome Web Store review at publish time, not a per-tenant fleet risk assessment.
Can I block extensions by permission in Google Workspace?
Yes. Chrome Enterprise has the strongest native extension enforcement of the major platforms: you can block by extension ID, by requested permission, by URL, force-install approved extensions, and default-deny everything else, all enforced by the browser via Chrome policy.
Is Chrome Web Store review enough to keep malicious extensions out?
Not on its own. Google's own documentation notes that extensions 'can still temporarily bypass detection or change behavior after publication'. Store review is publish-time curation; it doesn't continuously check what an installed extension does on your fleet.
How do I get a real risk assessment for Workspace extensions?
Because Google surfaces third-party permission-based scores rather than analysing extensions itself, teams add a dedicated scanner. Am I Being Pwned scans every extension in your Workspace from a single Google sign-in and returns an evidence-backed verdict from reading and running the code, then you enforce through Chrome policy.
Triage every extension in your fleet, with evidence.
Free scan of your Google Workspace in under 48 hours.