API & MCP

Hidden Things — OSINT File Scanner

Detects robots.txt, sitemap.xml, security.txt, and other standard or sensitive files on the visited site.

As of July 2026, Hidden Things — OSINT File Scanner has users in the Productivity category.

Usersno change0%
Ratingno change0%
— reviews
Reviewsno change0%
Version
0.1.0
Manifest V3

History

1 snapshots

Tracking since Jul 8, 2026.

Not enough history yet for this metric — the chart fills in as we collect more snapshots.
View as table
DateUsersRatingReviewsVersion
Jul 8, 20260.1.0
Now0.1.0

Permissions & access

Permissions
storageactiveTabdownloadsscripting
Host access
http://*/*, https://*/*

Screenshots

Hidden Things — OSINT File Scanner screenshot 1

About

HiddenThings checks whether the site you're browsing exposes files it shouldn't — or standard files worth knowing about.

Automatic scan: on every page load, it checks for robots.txt, sitemap.xml, security.txt, and about 50 other standard/.well-known/ files. It also reads robots.txt itself and tests any extra paths listed in its Disallow/Allow/Sitemap entries.

Advanced recon (opt-in, manual): on request, it tests roughly 220 paths commonly checked in bug bounty recon — .git/, .env files, SSH keys, TLS certificates, cloud credentials, shell history files, CMS config files, debug endpoints, log files.

Custom wordlist (opt-in): paste your own list of paths to test against the current site.

Customization: Easily change the theme color and toggle between light and dark modes.

Source map discovery (opt-in): scans <script> tags on the page and checks for matching .js.map files, which sometimes leak unminified source code.

To cut down on false positives, every scan is checked against a request to a path that's guaranteed not to exist. If a site returns 200 OK for that too (common with single-page apps and custom error pages), matching results are filtered out instead of reported as found.

Each result links directly to the file and has a one-click download button.

All requests are made from the extension's own background/popup context using fetch(). Nothing is sent anywhere except to the site you're already on.

Meant for security research, bug bounty testing, and OSINT on sites you own or are authorized to test.

Technical

Version
0.1.0
Manifest
V3
Size
56.84KiB
Min Chrome
116
Languages
1
Featured
No

Metadata

ID
lpnekdbafaifljkfenpbpbbhponhpcpl
Developer ID
u092dae5a18ed0e579b195287d561b00a
Developer Email
[email protected]
Created
Jul 7, 2026
Last Updated (Store)
Jul 7, 2026
Last Scraped
Jul 8, 2026
Website
camael.fr

Data sourced from the Chrome Web Store · last verified Jul 8, 2026.