Extension Manifest & Permissions Generator

Generate the best manifest.json based on current extension implementation. Analyze code to determine minimum permissions following Chrome docs and best practices.

Workflow

Detect framework: check for wxt.config.ts, plasmo.config.ts, or raw manifest.json
Scan the extension codebase for Chrome API usage
Map each API call to its required permission (see references/api-permission-map.md)
Generate manifest.json with minimum required permissions
Validate against Chrome docs and CWS policies
Report permission warnings users will see

Plasmo projects: Manifest is auto-generated from code and package.json. Override via plasmo.config.ts. See https://docs.plasmo.com/

Docs References

Manifest reference: https://developer.chrome.com/docs/extensions/reference/manifest
Permissions list: https://developer.chrome.com/docs/extensions/reference/permissions-list

Quick Manifest Template

{
  "manifest_version": 3,
  "name": "Extension Name",
  "version": "1.0.0",
  "description": "Brief description. Max 132 chars for CWS.",
  "icons": { "16": "icons/icon16.png", "48": "icons/icon48.png", "128": "icons/icon128.png" },
  "action": { "default_popup": "popup.html", "default_icon": { "16": "icons/icon16.png" } },
  "permissions": [],
  "host_permissions": [],
  "background": { "service_worker": "background.js", "type": "module" }
}

Permission Analysis Steps

Grep codebase for chrome. API calls
Map each to permission using references/api-permission-map.md
Prefer activeTab over tabs + host_permissions when possible
Use optional permissions for non-essential features
Check warning text in references/permission-warnings.md

Common Mistakes

Error	Fix
`host_permissions` inside `permissions`	Move URLs to separate `host_permissions` array
Using `<all_urls>`	Narrow to specific domain patterns
Missing `activeTab`	Add when only needing current tab on user click
`tabs` permission overuse	Only needed for tab URL/title; use `activeTab` instead
`content_security_policy` as string	Must be object: `{ "extension_pages": "..." }`
`web_accessible_resources` as string[]	Use object with `resources` + `matches`

Key MV3 Rules

host_permissions is separate from permissions
Service workers replace background pages (no DOM, no window)
content_security_policy is an object, not string
Remote code execution banned (no eval, no CDN scripts)
web_accessible_resources requires matches array
Use chrome.scripting.executeScript() not tabs.executeScript()

References

references/manifest-fields-reference.md - All manifest fields with types and examples
references/manifest-templates.md - Ready-to-use templates (popup, content script, sidepanel, devtools)
references/manifest-validation-checklist.md - Pre-submission validation
references/api-permission-map.md - Chrome API → permission mapping
references/permission-warnings.md - User-facing warning text per permission
references/permission-strategies.md - Optional permissions, activeTab, escalation patterns

Related Skills

extension-create - Full project scaffolding
extension-analyze - Security audit and best practices

extension-manifest

Extension Manifest & Permissions Generator

Workflow

Docs References

Quick Manifest Template

Permission Analysis Steps

Common Mistakes

Key MV3 Rules

References

Related Skills

More from quangpl/browser-extension-skills

extension-ui

extension-analyze

extension-create

extension-dev

extension-assets

extension-review