Features
Automatic Detection
Automatically detects when you're viewing an Apple Shortcut on iCloud.com
Side Panel Interface
Clean, modern side panel UI built with React and Chakra UI
AI Security Analysis
AI-powered security scanner with risk assessment and recommendations
Multiple Export Formats
Download as .shortcut, XML, or JSON format
Multiple Views
- Overview: View metadata, general information, shortcut URL with visual icon and color previews
- Actions: Browse all actions with search, expand/collapse all functionality
- Scanner: AI-powered security scanner & analysis with risk assessment and recommendations
- API Response: View the raw iCloud API response data
- Raw XML: View and download the shortcut in XML plist format
- Raw JSON: View and download the shortcut in JSON format
AI Security Analysis
The extension includes a powerful AI-powered security analysis feature that helps you understand potential risks before installing a shortcut.
Supported AI Providers
- OpenAI (GPT-4o, GPT-4o Mini, GPT-4 Turbo)
- Anthropic (Claude Sonnet 4.5, Claude Opus 4.5, Claude 4.5 Haiku)
- OpenRouter (Models above, Gemini 2.0 Flash, DeepSeek v3.2, Qwen3 Max and Llama 3.1)
Analysis Modes
- Quick Scan: Fast initial assessment. Provides a quick risk overview and top concerns.
- Standard Analysis: Comprehensive review. Detailed findings, data flow analysis, and recommendations.
- Deep Analysis: Thorough security audit. Includes adversarial analysis, obfuscation detection, and trust chain review.
What It Analyzes
- Purpose Analysis: Compares what the shortcut claims to do vs. what it actually does
- Data Flow Tracking: Maps how data moves from sources to destinations
- External Connections: Identifies all URLs and network calls with reputation assessment
- Permission Analysis: Reviews required permissions and flags potentially unnecessary access
- Red Flags: Detects suspicious patterns like path traversal, hardcoded API keys, or obfuscation
- Positive Indicators: Highlights legitimate patterns that suggest safe behavior
Security & Privacy
Your API keys are encrypted locally using AES-256-GCM with PBKDF2 key derivation (800,000 iterations). Keys are bound to your browser installation and cannot be extracted. They are never sent anywhere except to the AI provider you select for analysis.
Setup
- Open Settings (gear icon in the top-right)
- Add your API key for your preferred provider
- Create a strong encryption password
- Select your preferred model for analysis
- Navigate to any shortcut and click the "Analysis" tab
- Click "Run Security Analysis"
Tech Stack
- TypeScript - Type-safe development
- React 18 - UI framework
- Chakra UI - Component library
- Zustand - State management with persistence
- Vite - Build tool
- @plist/parse - Binary plist parsing
- Chrome Extension Manifest V3 - Modern extension API
- Web Crypto API - AES-256-GCM encryption for API keys
Installation
For Development
- Clone the repository
- Install dependencies:
npm install - Build the extension:
npm run build - Load in Chrome:
- Open Chrome and navigate to
chrome://extensions/ - Enable "Developer mode" (toggle in top-right)
- Click "Load unpacked"
- Select the
distfolder from this project
- Open Chrome and navigate to
For Development with Hot Reload
npm run devThen load the dist folder as an unpacked extension. The extension will rebuild automatically when you make changes.
Usage
- Navigate to an iCloud Shortcut: Go to any shortcut on iCloud.com (e.g.,
https://www.icloud.com/shortcuts/abc123...) - Open the Side Panel: Click the extension icon to open the side panel
- Explore the Shortcut: Use the various tabs to view details, actions, and raw data
- Download or Copy: Use the download buttons or copy content to clipboard
How It Works
- Content Script Detection: When you visit
iCloud.com/shortcuts/*, the content script detects the shortcut URL and notifies the background service worker. - Side Panel Opens: The background worker opens the side panel and sends the shortcut URL.
- Fetching Data: The side panel fetches metadata from the iCloud API and downloads the unsigned binary plist file.
- Display: The parsed data is displayed in a user-friendly interface with multiple tabs for different views.
- Export: Users can download or copy the data in XML or JSON format.
Known Limitations
- Requires the shortcut to be publicly accessible on iCloud.com
- Does not support converting XML back to binary plist
License
Licensed under the Apache License, Version 2.0. See LICENSE for details.