Back to home

Google Workspace vs Am I Being Pwned

Triaging Browser Extensions in Google Workspace

Google Workspace has strong extension controls but shows third-party permission scores, not its own verdict. Here's how to triage Chrome extensions with behavioural evidence.

Does Google Workspace assess browser extension risk?

Google's Chrome Enterprise Core (formerly Chrome Browser Cloud Management) gives admins the best native extension controls of any platform here - a full first-party inventory, and enforcement by extension ID, by requested permission, by URL, plus force-install and an approval workflow. What it does not give you is Google's own risk assessment. The risk scores shown in the console come from third parties: Spin.AI, CRXcavator and LayerX. Google surfaces them; it doesn't compute them.

So the native Workspace answer to 'is this extension dangerous?' is either a third-party permission-based score or Chrome Web Store review - and Google's own docs acknowledge extensions 'can still temporarily bypass detection or change behavior after publication'. Store review is publish-time curation, not a per-tenant fleet verdict.

Am I Being Pwned plugs straight into that model. One Google sign-in scans every extension in your Workspace, reading and running each one to see what it really does, and ranks them by that behaviour rather than a resold permission score. Then you enforce the result through the same Chrome policies you already control.

What Google Workspace gives you

  • A complete first-party inventory of extensions across managed Chrome, with install counts and per-extension detail
  • Third-party risk scores (Spin.AI, CRXcavator, LayerX) surfaced directly in the admin console
  • The strongest native enforcement here: block by ID, by permission, by URL, force-install, and default-deny
  • An extension approval workflow so users can request installs and admins can vet them
  • Chrome Web Store review at publish time (automated scanning plus selective manual review)

Where it stops

  • Google computes no risk score of its own - the console shows third-party scores instead
  • Extensions on your fleet get no behavioural or code analysis
  • There's no verdict - you get permissions plus an embedded third-party number
  • Store review runs only at publish time, and Google notes extensions can change behaviour afterwards
  • What installed extensions actually do is never re-scanned

Google Workspace vs Am I Being Pwned

Capability
Google Workspace
Am I Being Pwned
Fleet extension inventory
Yes - native, first-party
Yes - across every managed device
Native risk assessment
No - surfaces third-party scores
Yes - a 0-100 score from our own behavioural analysis
Reads the extension's source code
No - relies on third parties and store review
Yes - inspects the actual bundle
Dynamic sandbox execution
No
Yes - runs it and captures what it sends
Evidence-backed verdict
No
Yes - an evidenced keep-or-remove call
Continuous re-scan after updates
Store review is publish-time only
Yes - re-scanned on each new version
Policy enforcement
Yes - strongest native controls of the four
Yes - feeds the verdict into Chrome policy

How to triage browser extensions in Google Workspace

Chrome Enterprise gives you great controls and a borrowed risk score. Here's how to add the missing piece - a verdict based on what the code actually does.

  1. 1

    Pull the extension inventory from Chrome Enterprise Core

    In the Admin console, open the Chrome extension usage and reporting view for a full list of what's installed across your managed browsers, with permissions and install counts.

  2. 2

    Treat the embedded score as a third-party opinion

    The risk number next to each extension comes from Spin.AI, CRXcavator or LayerX, and it's permission-based. Our analysis of 2,534 extensions found permission-derived scores had no meaningful correlation with real risk - so don't stop there.

  3. 3

    Scan the whole Workspace behaviourally

    One Google sign-in lets Am I Being Pwned rank every extension in your Workspace by what its code actually does, and emails you the report. This is the analysis Google doesn't perform itself.

  4. 4

    Enforce through Chrome policy

    Chrome Enterprise has the strongest native enforcement here - block by ID or by permission, force-install approved extensions, or default-deny. Feed the behavioural verdicts into those policies.

  5. 5

    Keep scanning after approval

    Store review runs at publish time and extensions can change behaviour later. Continuous re-scanning flags an approved extension that turns malicious in an update.

From our published research

Frequently asked questions

Does Google Workspace give browser extensions a risk score?

Not one Google calculates. Chrome Enterprise Core surfaces third-party risk scores from Spin.AI, CRXcavator and LayerX directly in the admin console. Google's own contribution is Chrome Web Store review at publish time, not a per-tenant fleet risk assessment.

Can I block extensions by permission in Google Workspace?

Yes. Chrome Enterprise has the strongest native extension enforcement of the major platforms: you can block by extension ID, by requested permission, by URL, force-install approved extensions, and default-deny everything else, all enforced by the browser via Chrome policy.

Is Chrome Web Store review enough to keep malicious extensions out?

Not on its own. Google's own documentation notes that extensions 'can still temporarily bypass detection or change behavior after publication'. Store review is publish-time curation; it doesn't continuously check what an installed extension does on your fleet.

How do I get a real risk assessment for Workspace extensions?

Because Google surfaces third-party permission-based scores rather than analysing extensions itself, teams add a dedicated scanner. Am I Being Pwned scans every extension in your Workspace from a single Google sign-in and returns an evidence-backed verdict from reading and running the code, then you enforce through Chrome policy.

Triage every extension in your fleet, with evidence.

Free scan of your Google Workspace in under 48 hours.