uncloseai.

Browser Toys

Browser extensions that add the uncloseai. floating button to every web page you visit. Lightweight wrappers around uncloseai.js — no server, no backend, no accounts. The extension injects the script tag, and everything else runs client-side in your browser.

Current release: v1.0.0

Available Extensions

Chrome / Edge / Brave / Vivaldi / Arc

Manifest V3 extension for all Chromium-based browsers.

Download for Chrome (~10 KB)

1. Download and unzip uncloseai-browser-toy-chrome.zip
2. Verify the download (see checksums below)
3. Open chrome://extensions and enable Developer mode (toggle in top right)
4. Click Load unpacked and select the unzipped folder
5. The uncloseai. button appears on every page you visit

Firefox

Manifest V2 extension for Firefox 109+ and Firefox-based browsers (LibreWolf, Waterfox).

Download for Firefox (~10 KB)

1. Download uncloseai-browser-toy-firefox.zip
2. Verify the download (see checksums below)
3. Open about:debugging#/runtime/this-firefox
4. Click Load Temporary Add-on and select the downloaded zip file
5. The uncloseai. button appears on every page you visit

Safari

Safari Web Extension for macOS and iOS. Requires Xcode conversion.

Download Safari source (~10 KB)

1. Download and unzip uncloseai-browser-toy-safari.zip
2. Verify the download (see checksums below)
3. Convert to Xcode project:

   xcrun safari-web-extension-converter /path/to/unzipped-folder \
     --project-location ./safari-xcode \
     --app-name "uncloseai" \
     --bundle-identifier com.uncloseai.browser-toy \
     --no-open

4. Open safari-xcode/uncloseai.xcodeproj, set your signing team, build (Cmd+R)
5. Enable in Safari Settings > Extensions

Verify your download

Always verify downloads before installing. Checksum files are generated by the build and published alongside the zips.

SHA256SUMS | MD5SUMS

v1.0.0 SHA-256

2550bbdd34941b95e7d8944bbf5140b6ef16848c77ce4862f8e52aa9c2091087  uncloseai-browser-toy-chrome.zip
9b931277112df639fdec830bc43ea86f23b650980dec4c3c012bdec3735f3abc  uncloseai-browser-toy-firefox.zip
02546524bc9bdab7337274749f4a59caeb1e8b310514ec41d8a7cb54b5661a8e  uncloseai-browser-toy-safari.zip

# Download checksums and verify all zips at once
curl -sO https://uncloseai.com/downloads/SHA256SUMS
sha256sum -c SHA256SUMS

# Or verify a single file
curl -s https://uncloseai.com/downloads/SHA256SUMS | grep chrome | sha256sum -c

How it works

1. The content script injects <script src="https://uncloseai.com/uncloseai.js" type="module"> into every page
2. If uncloseai.js is already on the page, it skips injection (no duplicates)
3. The floating uncloseai. button appears in the bottom-right corner
4. Click it to chat with Hermes about the current page
5. Toggle the extension on or off from the toolbar popup

Storage and privacy

These extensions have no backend. Everything runs client-side in your browser.

• Chat history stays in your browser's localStorage, scoped per domain and encrypted by UncloseVault. Conversations on example.com are separate from conversations on github.com. Each site has its own vault with its own password.
• Settings (model selection, language preference, voice) are encrypted in the vault.
• Secrets (custom API keys, unsandbox keys) are encrypted in the vault.
• The extension itself stores one boolean value: enabled on/off. That is the only data the extension touches.

No data is written to localStorage unless encrypted with your password. No data leaves your browser except the messages you choose to send to the public machine learning endpoints at hermes.ai.unturf.com, qwen.ai.unturf.com, and speech.ai.unturf.com.

Mandatory Vault Encryption

UncloseVault is mandatory. When you first open the chat, you are prompted to create a vault password before anything else. No conversations, settings, or keys are stored without encryption.

First launch

1. Click the uncloseai. button on any page
2. The vault gate appears: choose a password (minimum 8 characters)
3. Chat loads after the vault is created
4. All data is encrypted with AES-256 before writing to localStorage

Returning

1. Click the uncloseai. button on any page
2. Enter your password to unlock the vault
3. Your encrypted conversations and settings are restored

What gets encrypted

• Conversation history — all chat messages, per domain, encrypted before writing to localStorage
• Settings — model, voice, language preferences
• API keys — custom endpoint credentials
• Unsandbox keys — code execution credentials

How it works

• AES-256 encryption via CryptoJS
• Password-derived key with device-specific salt (SHA-256)
• Each website has its own vault; you can use a different password per site
• Session persistence across page navigations (encrypted session key in localStorage)
• Lock the vault at any time from Settings to end your session

Without the vault password, conversation history and settings are unreadable. If you forget your password, the encrypted data cannot be recovered.

Security

The extension code has been audited across 6 security categories with 49 automated tests. Findings: 0 critical, 0 high, 0 medium, 0 low, 3 informational.

• No innerHTML, eval(), document.write, or new Function()
• No network requests from extension code (all networking is in the injected uncloseai.js)
• Minimal permissions: storage only (plus host access for injection)
• Content Security Policy restricts extension pages to script-src 'self'
• Extension stores exactly one value: {enabled: true|false}

Source Code

📦 git.unturf.com/engineering/unturf/uncloseai-browser-toys

Releases: all releases

Build from source:

git clone https://git.unturf.com/engineering/unturf/uncloseai-browser-toys.git
cd uncloseai-browser-toys
node scripts/build.js   # outputs zips to dist/

Licensed under AGPL-3.0-only.