Works great. Just what I wanted. I think there may be a bug on getting the tweet author's name, but that's not what I needed.


I had Claude vet the March 4 build.

Security review of xporter@xporterai.com.xpi

Verdict: appears safe to use. No malware, no data exfiltration, no external network endpoints. Your bookmarks never leave your machine.

What I checked

Unpacked the .xpi (it's just a ZIP), inspected the manifest, both JS bundles (assets/index.ts-*.js background, assets/isolated.ts-*.js content, src/content/main-world.js page-world script), and the
Mozilla signing chain.

Positive signals

1. Signed by Mozilla AMO — subject=CN=xporter@xporterai.com, issuer Mozilla AMO Production Signing Service. Means it came through addons.mozilla.org and passed Mozilla's automated review.
2. Minimal, correctly-scoped permissions (manifest.json):
- Permissions: only storage, tabs
- Host permissions: only *.twitter.com and *.x.com — cannot touch any other site
- Declares data_collection_permissions: ["none"]
3. Every URL in the code points to x.com — nothing else. The only outbound endpoints are:
- x.com/ sw.js and abs.twimg.com/responsive-web/client-web/*.js (read to find the bookmark API's GraphQL query ID)
- x.com/i/api/graphql/.../Bookmarks (the actual bookmark fetch)
-x.com/i/bookmarks (the page it opens)
No analytics server, no telemetry, no third-party domain, no xporterai.com callback.
4. No dynamic-code or exfiltration primitives: no eval, no new Function, no atob-decoded payloads, no WebSocket, no EventSource, no sendBeacon. The single innerHTML writes a static UI template, not
user data.
5. CSV is generated and downloaded locally via new Blob([...]) + URL.createObjectURL + a synthetic click (isolated.ts:1, function W). The bookmark data never crosses the network.