How we stay safe to install

SECURITY

Installing a browser extension is a trust decision. An extension can read every page you visit if it asks for the wrong permissions. So before you install anything — ours included — you should know exactly what runs in your browser, where the code comes from, and how it gets there.

This page documents what we do to make Antares safe to install and how to verify it yourself.

Code integrity

No remote code

The extension never evals, never loads JavaScript from a server at runtime. Everything is in the static bundle that Chrome reviewed at install time. Manifest V3 enforces this at the browser level.

Signed by Google

The published bundle is signed by the Chrome Web Store. Chrome verifies the signature on every auto-update; tampered code is rejected before it runs.

Minimum permissions

Five permissions, eight host permissions. No password access, no form-fill, no browsing history, no cookies, no webRequest, no identity, no downloads. Full list in section 8 of the privacy policy.

No analytics, no tracking

No third-party analytics scripts, no fingerprinting, no scan-to-identity tying. The extension sends only the public Solana contract address you’re looking at — nothing else leaves your browser.

What permissions Antares asks for, and why

Manifest V3, minimum-privilege:

storage — remember your settings (theme, alert thresholds, dismissed notifications) locally. Stored in chrome.storage.local; never synced, never sent off-device.
activeTab + tabs — read the URL and visible DOM only on the supported Solana platforms (DexScreener, pump.fun, Axiom, Photon, Birdeye, GeckoTerminal, GMGN, Telemetry). The extension is dormant on every other site — including Twitter, Telegram, your bank, your email, your password manager.
notifications — alert you when a token’s verdict escalates (e.g. CAUTION → DANGER while you’re still on the page).
alarms — periodic background re-scans for tokens you’re actively watching.

Permissions not requested: passwords, form-fill, browsing history, downloads, cookies, webRequest, identity. The full permissions and host_permissions arrays are visible in section 8 of our privacy policy.

What data leaves your browser

Only what the scan needs:

The Solana contract address you’re scanning — sent to /api/scan on our Vercel deployment.
An optional install ID (random UUID generated on install, stored locally) to scope rate-limiting per installation rather than per IP. Cannot be linked back to you.
The browser’s IP address, visible to Vercel for the duration of the request. Never logged with the contract address; never persisted past the 60-second sliding rate-limit window.

What never leaves: page contents, URLs, form data, cookies, local storage outside Antares’ own bucket, your wallet address, your transaction history. Full breakdown on the privacy page.

Update mechanism

Updates ship through the Chrome Web Store auto-update channel. Chrome checks for updates every few hours, downloads them in the background, and applies them on the next browser restart. Each update bundle is signed by the same Web Store key — a tampered update is rejected at the browser level.

If a security issue is discovered between releases, an emergency update can be pushed within hours. The version number in the navbar of every page on this site (v1.3.0) is always the canonical released version.

Vulnerability disclosure

If you find a security issue — an XSS in the overlay, a way to bypass the safe gate, an upstream API that leaks data, anything that affects user safety — please report it privately rather than posting it in any public channel.

Preferred: email antaresantiscam@gmail.com with subject [SECURITY] and a clear repro.
Alternative: DM @antaresantiscam on Twitter to coordinate (rotate to email for the actual report — DMs are not the right channel for exploit details).

We acknowledge reports within 48 hours, target a fix within 7 days for critical issues, and publish a brief post-mortem on the changelog once the fix ships.

One thing we cannot promise. Antares is a heuristic risk-screening tool. A SAFE verdict means none of our 7 detection layers found a critical signal at scan time — it is not a guarantee the token won’t rug. False negatives happen, especially on novel attack patterns. Treat the verdict as a high-quality second opinion, not a verdict of innocence. See Terms for the full disclaimer.

Past incidents

None publicly disclosed to date. If/when that changes, this section becomes a dated list with full post-mortems linked. Transparency over silence.