π΅οΈ Chrome/Chromium extension to detect AI-generated images using local analysis
GenSnitch helps you identify potentially AI-generated images by analyzing their metadata. It runs entirely locally in your browser - no images are ever uploaded anywhere.
- Right-click context menu - Check any image on any webpage
- C2PA/Content Credentials verification - Full manifest reading with cryptographic validation
- EXIF/XMP metadata analysis - Finds AI tool signatures (Stable Diffusion, DALL-E, Midjourney, etc.)
- PNG text chunk scanning - Extracts generation parameters from SD images
- 100% local processing - Your images never leave your browser
- Privacy-first - No analytics, no tracking, no data collection
- Clone or download this repository
- Install dependencies and build:
npm install
npm run build- Open Chrome/Chromium and navigate to
chrome://extensions - Enable Developer mode (toggle in top right)
- Click Load unpacked
- Select the
distfolder from this project
npm run zipThis creates gensnitch.zip containing the extension files ready for Chrome Web Store submission.
- Right-click on any image on a webpage
- Select "GenSnitch: Check if AI-generated"
- If prompted, allow the permission to access the site
- A results window will show the analysis
GenSnitch now includes full C2PA manifest verification using the official CAI SDK:
- Manifest Detection - Checks if the image contains C2PA content credentials
- Cryptographic Validation - Verifies the digital signature is valid
- Trust Verification - Checks if the signer is in the local trust list
- AI Assertions - Detects specific AI-generation assertions in the manifest
| Status | Meaning |
|---|---|
| β Signature Valid | Cryptographic signature verified successfully |
| β Signature Invalid | Signature verification failed (possibly tampered) |
| β Trusted Issuer | Signer is in the local trust list |
| β Unknown Issuer | Signer not in trust list (doesn't mean invalid!) |
Analyzes standard image metadata for known AI tool indicators:
- Software field (e.g., "Stable Diffusion", "ComfyUI")
- Creator Tool (e.g., "Adobe Firefly")
- Custom fields from AI generators
For PNG images, scans embedded text chunks for:
- Generation parameters (
parameterskey) - SD metadata (
sd-metadatakey) - Workflow information
- Prompt text
- Content Authenticity Initiative samples: https://contentauthenticity.org/
- Adobe Stock - Many images now include Content Credentials
- Truepic - Provides C2PA-signed images
- Create your own using Adobe Photoshop/Lightroom (with Content Credentials enabled)
When analyzing a C2PA-signed image:
Content Credentials Found
β Signature Valid β Unknown Issuer
Claim Generator: Adobe Photoshop 25.0
Signed By: Adobe Inc.
Actions: c2pa.created, c2pa.edited
- "Unknown Issuer" does NOT mean the signature is invalid
- It simply means the signer's certificate isn't in GenSnitch's local trust list
- The signature can still be cryptographically valid
- To add a trusted issuer, add their certificate SHA-256 hash to
src/assets/trust/allowed.sha256.txt
Edit src/assets/trust/allowed.sha256.txt:
# Add certificate SHA-256 fingerprints (lowercase, no colons)
abc123def456... # Adobe
xyz789abc012... # Your organization
- Metadata can be easily stripped or modified
- Many AI images have no identifying metadata
- Some legitimate photos may trigger false positives
- This is a heuristic tool, not a forensic detector
- "Unknown issuer" doesn't mean untrustworthy
GenSnitch is designed with privacy as a core principle:
- All processing happens locally in your browser
- No images are ever uploaded to any server
- No analytics or tracking of any kind
- No external API calls (placeholder for future ML feature exists but is disabled)
- WASM runs locally - C2PA validation uses bundled WebAssembly
See PRIVACY.md for full details.
| Permission | Why Needed |
|---|---|
contextMenus |
Create the right-click menu option |
storage |
Save analysis reports temporarily |
scripting |
Fetch blob: URLs from page context |
activeTab |
Access the current tab when analyzing |
https://*/* (optional) |
Fetch images from websites (requested on first use) |
The extension uses wasm-unsafe-eval to run the C2PA WebAssembly module locally. This is required for C2PA validation and does NOT allow loading external code.
- Right-click image on Google Images
- Right-click image on Wikipedia
- Right-click image on Twitter/X
- Test with
data:URL images (inline images) - Test with
blob:URL images (canvas-based sites) - Test with large images (>10MB) - should show size error
- Test with a known AI-generated PNG (should show parameters)
- Test with a C2PA-signed image (should show credentials)
- Test C2PA signature validation (valid vs. tampered)
# Install dependencies
npm install
# Build once
npm run build
# Build and watch for changes
npm run devgensnitch/
βββ src/
β βββ background.ts # Service worker
β βββ lib/
β β βββ types.ts # TypeScript interfaces
β β βββ imageBytes.ts # Image fetching
β β βββ report.ts # Report generation
β β βββ analyzers/
β β βββ c2pa.ts # C2PA verification (with WASM)
β β βββ metadata.ts # EXIF/XMP analysis
β β βββ pngText.ts # PNG chunk parsing
β βββ assets/
β β βββ trust/
β β βββ allowed.sha256.txt # Local trust list
β βββ ui/
β βββ result.html
β βββ result.css
β βββ result.ts
βββ manifest.json
βββ vite.config.ts
- Manifest V3 - Modern Chrome extension format
- TypeScript - Type-safe development
- Vite - Fast build tooling
- c2pa - Official CAI C2PA verification library
- exifr - EXIF/XMP metadata parsing
- v0.1 - Basic metadata detection
- v0.2 - Full C2PA validation with WASM
- v1.0 - ML-based detection fallback (opt-in)
- v1.1 - Batch checking for pages
- v1.2 - Custom trust list management UI
See CONTRIBUTING.md for guidelines.
MIT - See LICENSE
Made with π by the GenSnitch community