How to install chrome-extension
npx skills add https://github.com/samber/cc-skills --skill chrome-extensionFull instructions (SKILL.md)
Source of truth, from samber/cc-skills.
name: chrome-extension description: "Comprehensive guide for building Chrome extensions with Manifest V3. Use this skill whenever the user mentions Chrome extension, browser extension, manifest.json, content script, service worker (in extension context), popup, side panel, chrome.runtime, chrome.tabs, chrome.storage, chrome.scripting, background script, MV3, Manifest V3, or any Chrome extension API. Also trigger when the user wants to inject scripts into web pages, communicate between page and background, bypass CSP from a content script, build an RPC layer over chrome messaging, or publish to the Chrome Web Store. Covers both new extension projects and adding features to existing ones. Do NOT use for framework-specific questions." user-invocable: true license: MIT compatibility: Designed for Claude Code or similar AI coding agents. Requires git, node. metadata: author: samber version: "1.0.2" openclaw: emoji: "π" homepage: https://github.com/samber/cc-skills requires: bins: - git - node - npm allowed-tools: Read Edit Write Glob Grep Bash(git:) Bash(gh:) Bash(npm:*) AskUserQuestion
Chrome Extension Development (Manifest V3)
This skill covers everything needed to build, debug, and publish Chrome extensions with MV3. It is organized as a routing document: read this file first to understand the architecture and decision points, then load the relevant reference file for implementation details.
Reference files
Read only the reference files relevant to the current task. Each file is self-contained.
| File | When to read |
|---|---|
references/manifest-v3.md | Setting up or modifying manifest.json, configuring icons, versioning |
references/service-worker.md | Background logic, lifecycle, state persistence, alarms, events |
references/content-scripts.md | Injecting code into pages, isolated/main world, dynamic injection, SPA handling, orphaning |
references/messaging-rpc.md | Communication between any contexts, typed protocols, RPC layer, async handler patterns |
references/ui-surfaces.md | Popup, options page, side panel, context menus, commands, notifications, omnibox, devtools panel |
references/storage.md | chrome.storage (local/sync/session), quotas, reactive patterns, framework hooks |
references/network-csp.md | HTTP requests from content scripts, CSP bypass relay, declarativeNetRequest, offscreen docs, CORS |
references/permissions.md | Required/optional permissions, host permissions, activeTab, runtime request flow |
references/web-accessible-resources.md | Exposing extension files to web pages, security implications |
references/typescript-build.md | TypeScript setup, project structure, build tools comparison, bundling |
references/publishing.md | Chrome Web Store submission, review process, rejection reasons, updates, privacy policy |
references/execution-contexts.md | Communication flow diagrams, per-context capabilities/limits, choosing the right messaging method |
references/debugging-mistakes.md | DevTools for extensions, testing SW termination, common gotchas, error patterns |
Architecture overview
A Chrome extension has up to 5 execution contexts that communicate via message passing:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Extension Process β
β βββββββββββββββββββ βββββββββ βββββββββββ ββββββββ β
β β Service Worker β β Popup β β Options β β Side β β
β β (background) β β β β Page β βPanel β β
β β - No DOM β β Full β β Full β β Full β β
β β - Ephemeral β β DOM β β DOM β β DOM β β
β β - All chrome.* β β All β β All β β All β β
β β APIs β β APIs β β APIs β β APIs β β
β ββββββββββ¬ββββββββββ βββββ¬ββββ ββββββ¬βββββ ββββ¬ββββ β
β β chrome.runtime.sendMessage / connect β β
βββββββββββββΌβββββββββββββββββΌββββββββββββΌβββββββββββΌβββββββ
β β β β
chrome.tabs.sendMessage β β β
β β β β
βββββββββββββΌβββββββββββββββββΌββββββββββββΌβββββββββββΌβββββββ
β Web Page βΌ β
β ββββββββββββββββββββ ββββββββββββββββββββ β
β β Content Script β β Main World Script β β
β β (isolated world) βββββΊβ (page context) β β
β β - Shared DOM β β - Shared DOM β β
β β - Own JS scope β β - Page JS scope β β
β β - chrome.runtime β β - No chrome.* API β β
β β - chrome.storage β β - Full page accessβ β
β β - Subject to CSP β β - Subject to CSP β β
β β (network only) β β (fully) β β
β ββββββββββββββββββββ ββββββββββββββββββββ β
β β² window.postMessage β
β β (through shared DOM) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Communication flows (labeled channels)
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Extension Process β
β β
β βββββββββββββββββββ chrome.runtime βββββββββ βββββββββββ ββββββββ β
β β Service Worker βββ.sendMessage()βββ Popup β β Options β β Side β β
β β (background) βββ.connect()βββββββ β β Page β βPanel β β
β β β βββββββββ βββββββββββ ββββββββ β
β β - No DOM β ββββββββββββββββββββββββββββββββββββββββββββββ β
β β - Ephemeral 30s β β SW cannot push to these pages. β β
β β - All chrome.* β β Use: ports (.connect) or storage.onChanged β β
β ββββββββββ¬ββββββββββ ββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β chrome.storage.onChanged βββ fires across ALL contexts simultaneously β
β β
βββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β chrome.tabs.sendMessage(tabId, ...) [SW must know tabId]
β
βββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Web Page βΌ β
β ββββββββββββββββββββ window.postMessage ββββββββββββββββββββ β
β β Content Script ββββββββββββββββββββββΊβ Main World Script β β
β β (isolated world) β Custom DOM events β (page context) β β
β β β β β β
β β chrome.runtime ββββΌββ to/from SW β No chrome.* APIs β β
β β chrome.storage β β Full page JS β β
β β Shared DOM β β Shared DOM β β
β β Page CSP (network)β β Page CSP (full) β β
β ββββββββββββββββββββ ββββββββββββββββββββ β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
For detailed flow diagrams (three-layer bridge, cross-extension, storage broadcast) and a per-context breakdown of permissions, limits, and workarounds: β Read references/execution-contexts.md
Communication methods at a glance
| Method | Direction | Best for |
|---|---|---|
chrome.runtime.sendMessage | Any ext context β SW | One-shot request/response (90% of cases) |
chrome.tabs.sendMessage | SW β content script (by tabId) | Pushing data to a specific tab |
chrome.runtime.connect (Port) | Bidirectional | Streaming, progress, SW β popup |
window.postMessage | Between worlds on same page | Page JS β content script bridge |
chrome.storage.onChanged | Broadcast to all contexts | Settings sync, no messaging needed |
β Full matrix with limits and edge cases: references/execution-contexts.md β Implementation patterns, typed protocols, RPC layer: references/messaging-rpc.md
Key architectural rules
-
Service worker is ephemeral. It terminates after 30s of inactivity. All state must be persisted to chrome.storage. All event listeners must be registered synchronously at the top level. Never use setTimeout/setInterval for anything beyond a few seconds. β Read
references/service-worker.md -
Content scripts run in the page's origin. Network requests from content scripts are subject to the page's CSP and CORS. To bypass, relay through the service worker. β Read
references/network-csp.md -
Messaging is the backbone. Every cross-context interaction uses chrome.runtime messaging. The #1 bug: forgetting to
return truefrom async message listeners. β Readreferences/messaging-rpc.md -
Permissions determine CWS review speed. Broad host_permissions trigger manual review (weeks). activeTab + optional permissions = fast automated review. β Read
references/permissions.md -
Popup is destroyed on blur. Side panel persists. Choose based on interaction duration. β Read
references/ui-surfaces.md
Decision tree: which context handles what?
"I need to run code when the user visits a page"
β Content script. Static (manifest) for known URL patterns, dynamic (chrome.scripting) for user-triggered injection. Default to isolated world unless you need page JS access. β Read references/content-scripts.md
"I need to make an HTTP request to my API"
- From popup/options/side panel: direct fetch() works (extension origin, no CSP issues)
- From content script on a page with restrictive CSP: relay through service worker
- From service worker: direct fetch() works (requires host_permissions for the target domain) β Read
references/network-csp.md
"I need to store user settings"
- Settings that sync across devices: chrome.storage.sync (100KB limit)
- Large data or caches: chrome.storage.local (10MB, or unlimited with permission)
- Ephemeral state surviving SW restarts: chrome.storage.session β Read
references/storage.md
"I need to modify HTTP headers or block requests"
β declarativeNetRequest (NOT webRequest, which lost blocking in MV3) β Read references/network-csp.md
"I need the page's JavaScript to talk to my extension"
β Three-layer bridge: page (window.postMessage) β content script β service worker β Read references/messaging-rpc.md
"I need to understand what each context can and cannot do"
β Read references/execution-contexts.md β per-context cards listing chrome.* access, DOM, network, storage, lifetime, hard limits, and practical workarounds.
"I need periodic background tasks"
β chrome.alarms (minimum 30s interval). NOT setTimeout. β Read references/service-worker.md
"I need DOM APIs in the background" (DOMParser, Canvas, Audio)
β Offscreen document. One per extension, only chrome.runtime available. β Read references/network-csp.md
"I need to authenticate with OAuth"
β chrome.identity.launchWebAuthFlow() or chrome.identity.getAuthToken() (Google only) β Read references/service-worker.md (identity section)
Workflow: new extension from scratch
-
Define the manifest with minimum permissions. Start with
activeTab+scripting. β Readreferences/manifest-v3.md -
Set up TypeScript and build tooling (or use CRXJS for Vite-based dev). β Read
references/typescript-build.md -
Implement the service worker with all event listeners at the top level. β Read
references/service-worker.md -
Add content scripts if you need page interaction. β Read
references/content-scripts.md -
Build UI surfaces (popup, options, side panel) as needed. β Read
references/ui-surfaces.md -
Wire up messaging between all contexts. β Read
references/messaging-rpc.md -
Test with DevTools, specifically test service worker termination. β Read
references/debugging-mistakes.md -
Publish to Chrome Web Store. β Read
references/publishing.md
Workflow: adding a feature to an existing extension
- Identify which context the feature belongs to (see decision tree above).
- Read the relevant reference file(s) for that context.
- Check if new permissions are needed. Prefer optional_permissions for new capabilities. β Read
references/permissions.md - Update the manifest if adding new content scripts, UI surfaces, or permissions.
- Handle extension updates gracefully (content script orphaning). β Read
references/content-scripts.md(orphaning section)
Minimal manifest.json template
{
"manifest_version": 3,
"name": "My Extension",
"version": "1.0.0",
"description": "What it does in one sentence",
"permissions": ["storage", "activeTab", "scripting"],
"action": {
"default_popup": "popup.html",
"default_icon": {
"16": "icons/icon16.png",
"48": "icons/icon48.png",
"128": "icons/icon128.png"
}
},
"background": {
"service_worker": "background.js",
"type": "module"
},
"icons": {
"16": "icons/icon16.png",
"48": "icons/icon48.png",
"128": "icons/icon128.png"
}
}
β For the full manifest reference with all fields: references/manifest-v3.md
Code patterns quick reference
Async message handler (the safe pattern)
// Wrap async handlers to avoid the return-true trap
function asyncHandler(
fn: (msg: any, sender: chrome.runtime.MessageSender) => Promise<any>,
) {
return (
message: any,
sender: chrome.runtime.MessageSender,
sendResponse: (r: any) => void,
) => {
fn(message, sender)
.then(sendResponse)
.catch((e) => sendResponse({ __error: true, message: e.message }));
return true; // literal true, not Promise<true>
};
}
chrome.runtime.onMessage.addListener(
asyncHandler(async (msg, sender) => {
if (msg.type === "FETCH") {
const res = await fetch(msg.url);
return { ok: res.ok, data: await res.text() };
}
}),
);
CSP bypass relay (content script β service worker β API)
// content-script.ts
async function apiCall(endpoint: string, options?: RequestInit) {
return chrome.runtime.sendMessage({ type: "API_RELAY", endpoint, options });
}
// background.ts
const ALLOWED_ENDPOINTS = ["https://api.example.com"];
chrome.runtime.onMessage.addListener(
asyncHandler(async (msg) => {
if (msg.type !== "API_RELAY") return;
if (!ALLOWED_ENDPOINTS.some((e) => msg.endpoint.startsWith(e))) {
throw new Error("Blocked endpoint");
}
const res = await fetch(msg.endpoint, msg.options);
return { ok: res.ok, status: res.status, data: await res.text() };
}),
);
Persist state across SW restarts
// Use chrome.storage.session for ephemeral state
chrome.storage.session.setAccessLevel({
accessLevel: "TRUSTED_AND_UNTRUSTED_CONTEXTS",
});
async function getState<T>(key: string, fallback: T): Promise<T> {
const result = await chrome.storage.session.get(key);
return result[key] ?? fallback;
}
async function setState<T>(key: string, value: T): Promise<void> {
await chrome.storage.session.set({ [key]: value });
}
Orphaned content script detection
function isExtensionContextValid(): boolean {
try {
return !!chrome.runtime?.id;
} catch {
return false;
}
}
// Before any chrome.runtime call
if (!isExtensionContextValid()) {
showRefreshBanner();
return;
}
What NOT to do
- Do NOT use
eval(),new Function(), or load remote scripts. MV3 forbids it. - Do NOT use
setTimeout/setIntervalfor anything > 5s in service workers. - Do NOT register event listeners inside callbacks or async functions.
- Do NOT use
<all_urls>host permission unless absolutely necessary. - Do NOT rely on DevTools keeping the service worker alive during testing.
- Do NOT forget
return truein async message listeners. - Do NOT use
localStorageorsessionStoragein service workers (they don't exist there). - Do NOT assume content scripts survive extension updates.
- Do NOT use
webRequestblocking (removed in MV3). UsedeclarativeNetRequest. - Do NOT use
chrome.extension.getBackgroundPage()(removed in MV3).
Related skills
More from samber/cc-skills and the wider catalog.
copywriting-hooks
>
linkedin-ghostwriting
B2B LinkedIn ghostwriting β strategic interview, hook engineering, and post body. Use when the user wants to write LinkedIn content, create ghostwritten posts, ghostwrite for a founder or executive, develop a B2B social strategy, or needs hooks, post structures, or copywriting frameworks for LinkedIn. Apply when the user shares a story, result, or insight and wants it turned into a post.
copywriting-tone-of-voice-creator
Build a brand tone of voice guide (TONE.md) via discovery, voice definition, and channel modulation. Outputs voice attributes with do's/don'ts, NN/g positioning, tone modulation matrix, lexicon, mechanics, and channel rules β consumed by downstream content skills writing on-brand copy. Covers B2B SaaS, B2C/D2C, NGO, public sector, consulting, industrial, product-led, personal, and volunteering brands; researches uncovered contexts (politics, regulated niches, religious orgs, gaming) on demand. Also adapts an existing TONE.md to a new channel (blog β LinkedIn, web β Twitter/X, in-product UI). Optionally consumes SOUL.md to pre-fill brand identity. Apply when the user wants to create a TONE.md, define brand voice, port voice to a new channel, refresh an outdated voice, or set up a content factory writing across many supports. Not for writing individual posts, articles, emails, or UI strings (β dedicated writing skills), nor SOUL.md, PROSE.md, DESIGN.md.
conventional-git
Conventional Commits v1.0.0 branch naming, worktree naming, and commit message standards for GitHub and GitLab projects. Use when creating branches, naming worktrees, writing commits, generating commit messages, reviewing branch conventions, or setting up changelog automation. Apply when your project needs consistent git history, SemVer-driven releases, parseable changelog generation, or automatic issue closing. Trigger when the user asks how to name a worktree, create a git worktree, or organize worktrees alongside branches.
technical-article-writer
Write compelling technical articles and blog posts for developer audiences. Use this skill whenever the user asks to write a blog post, technical article, or any long-form technical content. Also trigger when the user says 'write about [technical topic]', 'help me draft an article', 'turn this into a blog post', 'write a post about', 'I want to publish something about', or mentions writing for a developer audience. Covers the full pipeline: idea sharpening, hook/title generation, article structure, body drafting, and editing. Even if the user just says 'I want to write about X' without specifying format, use this skill. Do NOT use for platform-specific optimization, newsletter strategy, or ghostwriting voice matching.
copywriting-cta
Design end-of-article CTAs (calls-to-action placed at the bottom of blog posts, newsletters, essays, articles, or any long-form content). Use this skill whenever the user asks to write, design, review, or improve a CTA at the bottom of an article, blog post, or essay; mentions "end-of-post CTA", "bottom of the article", "call-to-action", "signup box", "newsletter CTA", "subscribe block", "what should I put at the bottom", "how do I get readers to subscribe / share / book a call / buy / follow / join / download"; or asks how to convert article readers into subscribers, leads, customers, community members, or supporters. Also trigger when the user wants A/B testing guidance or accessibility review for a CTA block. Covers independent / personal writing, newsletter publications, and brand / content-marketing blogs across any topic β tech, finance, food, climate, design, lifestyle, B2B, B2C. Produces both the copy (content) and the structural / visual design (form), matched to the user's objective and audience.