Chrome Extensions

Name: Chrome Extensions
Author: googlechrome

googlechrome/modern-web-guidance

Scaffold, debug, and ship a Manifest V3 Chrome extension—including Web Store listing, permissions, and review fixes.

Overview

Chrome Extensions is an agent skill for the Build phase that implements and debugs Manifest V3 Chrome extensions and prepares them for Chrome Web Store publishing.

Install

npx skills add https://github.com/googlechrome/modern-web-guidance --skill chrome-extensions

What is this skill?

Manifest V3 mandatory rules: real per-size icons or omit icons—never reuse one file for 16/48/128
Covers content scripts, extension service workers, popup, side panel, and chrome.* APIs
Includes declarativeNetRequest, omnibox, and context-menu extension patterns
Part 2 guidance for Chrome Web Store publish, permission justifications, privacy policy, and review rejection
Triggers on 'Chrome extension', manifest.json, content script, and browser-integration requests
Mandatory Rules section addresses top causes of non-functional MV3 builds

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 905 installs on skills.sh; 1.3k GitHub stars; 2/3 security scanners passed (skills.sh audits).

What problem does it solve?

You need browser UI integration or a Chrome add-on but MV3 rules, missing assets, or store policy easily produce a broken or rejected extension.

Who is it for?

Solo builders shipping a Chrome extension or browser helper with popups, content scripts, or network rules.

Skip if: Safari/Firefox-only add-ons, pure SaaS web apps with no extension manifest, or native desktop apps outside the Extensions API.

When should I use this skill?

User mentions Chrome extension, manifest.json, content script, service worker (browser), popup/side panel, chrome.* API, or Chrome Web Store publishing.

What do I get? / Deliverables

A compliant Manifest V3 extension structure with correct icons and APIs, plus publish-ready artifacts and review responses when listing.

manifest.json and MV3 extension source layout
Store listing copy: permissions justification and privacy policy drafts

Recommended Skills

Frontend Designanthropics/skills

Frontend Design is an agent skill for solo and indie builders who want web interfaces that look intentional, not like ev…516k installs·148k stars

Vercel React Best Practicesvercel-labs/agent-skills

Vercel React Best Practices is an agent skill packaging Vercel Engineering’s performance playbook for React and Next.js.…459k installs·27.7k stars

Remotion Best Practicesremotion-dev/skills

Remotion Best Practices is a domain knowledge agent skill for solo and indie builders who ship video with Remotion—progr…357k installs·3.5k stars

Vercel Composition Patternsvercel-labs/agent-skills

Vercel Composition Patterns is an agent-oriented skill from Vercel Labs that documents how solo and indie builders shoul…204k installs·27.7k stars

Develop Userscriptsxixu-me/skills

Guides building and fixing browser userscripts for Tampermonkey and ScriptCat, emphasizing runtime selection, minimal pe…154k installs·61 stars

Next Best Practicesvercel-labs/next-skills

Next Best Practices is a Vercel Labs agent skill that encodes how to write and review modern Next.js App Router projects…102k installs·919 stars

Journey fit

Primary fit

BuildUI/UX & frontend

Extension code, manifest, and Chrome APIs are product build work before distribution; canonical shelf is build even though publishing touches launch. Extensions are HTML/CSS/JS surfaces plus service workers and content scripts—frontend build patterns with browser-specific APIs.

Also useful

LaunchDistribution & launch channels

Also useful

ShipSecurity

How it compares

Official MV3 extension playbook—not a generic React SPA or Electron desktop template.

Common Questions / FAQ

Who is chrome-extensions for?

Indie developers and small teams building Chrome browser extensions who need Manifest V3 correctness and optional Web Store launch steps.

When should I use chrome-extensions?

Use it in Build while coding manifest.json, content scripts, service workers, or chrome APIs; extend into Launch when preparing store submission or answering a review rejection.

Is chrome-extensions safe to install?

Extension skills may suggest broad host permissions and network rules—review the Security Audits panel on this page and narrow permissions before publishing.

SKILL.md

READMESKILL.md - Chrome Extensions

# Chrome Extensions

Build production-quality Chrome extensions using Manifest V3 and publish them to the Chrome Web Store.

## Part 1 — Building Extensions

### Mandatory Rules

These address the most common causes of broken extensions. Violating any produces a non-functional build.

#### 1. Icons: only reference files you create — or omit icons entirely

```
❌ BROKEN — referencing files that don't exist or reusing one file for all sizes:
   "icons": { "16": "icon.png", "48": "icon.png", "128": "icon.png" }

✅ CORRECT — each size is a separate file at the correct pixel dimensions:
   "icons": { "16": "icons/icon-16.png", "48": "icons/icon-48.png", "128": "icons/icon-128.png" }
   (where icon-16.png is 16×16px, icon-48.png is 48×48px, icon-128.png is 128×128px)

✅ ALSO CORRECT — omit icons from manifest if you cannot generate real PNG files:
   (just remove the "icons" and "default_icon" fields — Chrome uses a default icon)
```

**If you include icon references, you MUST create the actual image files.** Generate them with a script (see `references/extensions/icons.md`) or leave them out. Never reference non-existent files.

#### 2. Side panel: you MUST provide a way to open it

Defining `"side_panel": {"default_path": "..."}` does NOT make it openable. Add a trigger:

```js
// In service-worker.js — open side panel on extension icon click
// IMPORTANT: chrome.action.onClicked ONLY fires when there is NO default_popup
chrome.action.onClicked.addListener(async (tab) => {
  await chrome.sidePanel.open({ windowId: tab.windowId });
});
```

If the extension has both a popup AND side panel, add a button in the popup that calls `chrome.sidePanel.open()`. Alternatively, use `chrome.sidePanel.setPanelBehavior({ openPanelOnActionClick: true })` — but the property is `openPanelOnActionClick`, NOT `openPanelOnActionIconClick`; the "Icon" variant causes a synchronous TypeError that silently aborts the service worker. Do NOT also define `default_popup` when using `setPanelBehavior`. See `references/extensions/side-panel.md`.

#### 3. Code execution: sandboxed iframes ONLY

Extension CSP blocks `eval()`, `new Function()`, inline `<script>` in all extension pages.

```js
// ❌ BROKEN — direct iframe DOM access throws SecurityError
iframe.contentDocument.write(html);

// ❌ BROKEN — eval in extension page
eval(userCode); // CSP blocks this

// ✅ OPTION A: Sandbox in manifest + postMessage
// manifest.json: { "sandbox": { "pages": ["sandbox.html"] } }
iframe.contentWindow.postMessage({ html, css, js }, '*');
// sandbox.html receives and runs:
window.addEventListener('message', (e) => { eval(e.data.js); /* allowed in sandbox */ });

// ✅ OPTION B: Blob URL (creates separate origin, bypasses extension CSP)
iframe.src = URL.createObjectURL(new Blob([doc], { type: 'text/html' }));

// ✅ OPTION C: srcdoc
iframe.srcdoc = `<style>${css}</style>${html}<script>${js}<\/script>`;
```

See `references/extensions/csp-sandbox.md` for full details.

#### 4. `tab.url` requires the `tabs` permission

Without it, `tab.url` silently returns `undefined` — no error thrown.

```js
// manifest.json — REQUIR

What is this skill?

Manifest V3 mandatory rules: real per-size icons or omit icons—never reuse one file for 16/48/128

Covers content scripts, extension service workers, popup, side panel, and chrome.* APIs

Includes declarativeNetRequest, omnibox, and context-menu extension patterns

Part 2 guidance for Chrome Web Store publish, permission justifications, privacy policy, and review rejection

Triggers on 'Chrome extension', manifest.json, content script, and browser-integration requests

Mandatory Rules section addresses top causes of non-functional MV3 builds

Compatible agents: Claude Code, Cursor, Codex, Windsurf

Adoption & trust: 905 installs on skills.sh; 1.3k GitHub stars; 2/3 security scanners passed (skills.sh audits).

Journey fit

Primary fit

BuildUI/UX & frontend

Also useful

LaunchDistribution & launch channels

Also useful

ShipSecurity

SKILL.md

READMESKILL.md - Chrome Extensions

# Chrome Extensions

Build production-quality Chrome extensions using Manifest V3 and publish them to the Chrome Web Store.

## Part 1 — Building Extensions

### Mandatory Rules

These address the most common causes of broken extensions. Violating any produces a non-functional build.

#### 1. Icons: only reference files you create — or omit icons entirely

```
❌ BROKEN — referencing files that don't exist or reusing one file for all sizes:
   "icons": { "16": "icon.png", "48": "icon.png", "128": "icon.png" }

✅ CORRECT — each size is a separate file at the correct pixel dimensions:
   "icons": { "16": "icons/icon-16.png", "48": "icons/icon-48.png", "128": "icons/icon-128.png" }
   (where icon-16.png is 16×16px, icon-48.png is 48×48px, icon-128.png is 128×128px)

✅ ALSO CORRECT — omit icons from manifest if you cannot generate real PNG files:
   (just remove the "icons" and "default_icon" fields — Chrome uses a default icon)
```

**If you include icon references, you MUST create the actual image files.** Generate them with a script (see `references/extensions/icons.md`) or leave them out. Never reference non-existent files.

#### 2. Side panel: you MUST provide a way to open it

Defining `"side_panel": {"default_path": "..."}` does NOT make it openable. Add a trigger:

```js
// In service-worker.js — open side panel on extension icon click
// IMPORTANT: chrome.action.onClicked ONLY fires when there is NO default_popup
chrome.action.onClicked.addListener(async (tab) => {
  await chrome.sidePanel.open({ windowId: tab.windowId });
});
```

If the extension has both a popup AND side panel, add a button in the popup that calls `chrome.sidePanel.open()`. Alternatively, use `chrome.sidePanel.setPanelBehavior({ openPanelOnActionClick: true })` — but the property is `openPanelOnActionClick`, NOT `openPanelOnActionIconClick`; the "Icon" variant causes a synchronous TypeError that silently aborts the service worker. Do NOT also define `default_popup` when using `setPanelBehavior`. See `references/extensions/side-panel.md`.

#### 3. Code execution: sandboxed iframes ONLY

Extension CSP blocks `eval()`, `new Function()`, inline `<script>` in all extension pages.

```js
// ❌ BROKEN — direct iframe DOM access throws SecurityError
iframe.contentDocument.write(html);

// ❌ BROKEN — eval in extension page
eval(userCode); // CSP blocks this

// ✅ OPTION A: Sandbox in manifest + postMessage
// manifest.json: { "sandbox": { "pages": ["sandbox.html"] } }
iframe.contentWindow.postMessage({ html, css, js }, '*');
// sandbox.html receives and runs:
window.addEventListener('message', (e) => { eval(e.data.js); /* allowed in sandbox */ });

// ✅ OPTION B: Blob URL (creates separate origin, bypasses extension CSP)
iframe.src = URL.createObjectURL(new Blob([doc], { type: 'text/html' }));

// ✅ OPTION C: srcdoc
iframe.srcdoc = `<style>${css}</style>${html}<script>${js}<\/script>`;
```

See `references/extensions/csp-sandbox.md` for full details.

#### 4. `tab.url` requires the `tabs` permission

Without it, `tab.url` silently returns `undefined` — no error thrown.

```js
// manifest.json — REQUIR

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is chrome-extensions for?

When should I use chrome-extensions?

Is chrome-extensions safe to install?

SKILL.md

This week for builders

Overview

Install

What is this skill?

What problem does it solve?

Who is it for?

When should I use this skill?

What do I get? / Deliverables

Recommended Skills

Journey fit

Who is chrome-extensions for?

When should I use chrome-extensions?

Is chrome-extensions safe to install?

SKILL.md