Spin.AI vs Am I Being Pwned
Spin.AI vs Am I Being Pwned: score vs evidence
Spin.AI scores extensions from permissions, CVEs, reputation and a sandbox signal - the scores we benchmarked against 2,534 extensions. Here's what a verdict with captured evidence adds.
Is Spin.AI's browser extension risk assessment enough to trust an extension?
Spin.AI gives you a fast, free risk score for almost any Chrome extension. SpinMonitor checks it against a catalog Spin.AI says covers 550,000+ extensions and rates it on around 15 characteristics - permission scope, declared external communication, known CVEs, publisher reputation, machine learning, and behaviour Spin.AI says it observes in a sandbox. It's a genuinely useful first look and a common CRXcavator replacement.
What you get back, though, is a score, not the evidence behind it. Spin.AI publishes the risk level and the factors that feed it, but not a per-extension record of what actually happened - which requests left the browser, which DOM changes fired, which payload decoded. You can see that an extension was rated risky; you can't see the traffic that proves it.
That gap is why the scores are worth pressure-testing. When we benchmarked Spin.AI's scores across 2,534 extensions, they showed no meaningful correlation with the risk we found - uBlock Origin, one of the most trusted extensions there is, landed in the same band as extensions we caught harvesting data. Am I Being Pwned hands you the captured behaviour per extension, so a keep-or-remove call arrives with its proof attached.
What Spin.AI gives you
- SpinMonitor: a free, instant risk score for almost any Chrome extension, from a catalog Spin.AI says covers 550,000+ extensions
- A rating built from ~15 characteristics - permission scope, declared external communication, known CVEs, reputation, ML, and a sandbox behaviour signal
- SpinCRX (enterprise): continuous re-assessment across Chrome, Edge and Safari (Firefox rolling out), with automated revoke of risky extensions
- Reach beyond the browser as part of the SpinOne platform - Google Workspace, Microsoft 365, Slack and Salesforce, plus SSPM, SaaS DLP and backup
- Compliance-oriented reporting and a CRXcavator-replacement position
Where it stops
- You get a risk level and the factors behind it, not a per-extension record of what its sandbox captured
- No inspectable trail: the specific requests, DOM changes or decoded payloads behind a rating aren't shown
- A graded score, not a plain keep-or-remove call you can hand an auditor with the proof attached
- Scores that, in our 2,534-extension test, didn't separate the extensions harvesting data from the safe ones
- Trust signals a score leans on can't see runtime exfiltration - WhatRuns was Featured, Verified and 400k installs while it uploaded users' ChatGPT and Claude chats
Spin.AI vs Am I Being Pwned
How to turn a Spin.AI score into a decision
Spin.AI gives you a fast score. Here's how to confirm whether a flagged extension is actually dangerous before you act.
- 1
Look the extension up in SpinMonitor
Run it through Spin.AI's free checker for an instant risk level and the permission and CVE signals behind it. That tells you where to look.
- 2
Ask what's behind the number
The rating rolls up permissions, external-communication flags, CVEs, reputation, ML and a sandbox signal into one score - but not the evidence. A high or low number is a prompt to dig, not proof either way.
- 3
Get the captured behaviour
Paste the extension ID into Am I Being Pwned to see what it did when it ran - the endpoints it hit, the data it read, anything it sent out - each finding tied to the captured request or DOM change. Or scan your whole Workspace at once.
- 4
Make the keep-or-kill call
Keep the extensions whose behaviour matches their job; remove the ones caught overstepping. Because every finding carries its evidence, the decision survives a second opinion.
- 5
Enforce and re-run
Revoke through Spin.AI, Google Workspace or your MDM, then let scheduled re-runs re-check each extension when it ships a new version.
From our published research
“Their median risk score for CRITICAL extensions (46) is actually lower than for CLEAN ones (49). The scores showed no meaningful correlation with actual risk across our sample of 2,534 extensions.”
Spin AI vs Am I Being Pwned
We tested Spin.AI's scores directly. This is the headline result.
“Spin AI scored it 51 (medium risk) - higher than Stylish, higher than Coupert, roughly the same as the extensions we observed collecting data.”
Why Permission Scoring Fails
uBlock Origin, one of the most trusted extensions, in the same band as data harvesters.
“They build a payload, then put it through URL encoding, double base64, JSON stringify and base64 again, a columnar transposition cipher, AES-256-CBC with a symmetric key hardcoded in the extension source, then base64 one final time.”
Stylish Is Back, Back Again
The kind of behaviour you only see once you watch the traffic leave.
Frequently asked questions
Is SpinMonitor a good CRXcavator replacement?
It's one of the common ones: free, no account, and a large catalog. Its strength and its limit are the same as CRXcavator's - it condenses an extension into a score. That's a great triage signal, but the score is the end of the road; there's no per-extension evidence trail underneath it. Pair it with a behavioural check before you trust the result.
Does Spin.AI run extensions in a sandbox?
Spin.AI's marketing says it does - it describes executing extensions in a sandbox and monitoring for anomalous behaviour, which feeds the risk score. What it doesn't hand you is the output of that run per extension: the captured requests, DOM changes, or decoded payloads. Am I Being Pwned runs the extension too, and gives you that captured evidence alongside the verdict.
How accurate are Spin.AI's risk scores?
We benchmarked them. Across 2,534 extensions, Spin.AI's scores showed no meaningful correlation with the risk we confirmed by watching the extensions run - the median for extensions we rated critical (46) sat right alongside clean ones (49). We rated 'critical' from observed behaviour like live data exfiltration, not from permissions. It's not a knock specific to Spin.AI; it's the ceiling on any single score.
Do I still need another tool if I use Spin.AI?
They do different jobs. Spin.AI is a broad SaaS-security platform that happens to score extensions; Am I Being Pwned is extension-focused and returns a verdict with the captured evidence behind it. If you need to defend a keep-or-remove decision to security or audit, the evidence trail is what you're missing.
Triage every extension in your fleet, with evidence.
Free scan of your Google Workspace in under 48 hours.