Only the latest version receives fixes. This project does not maintain older release branches.
| Version | Supported |
|---|---|
| 2026-03-31.x | ✅ |
| < 2026-03-31 | ❌ |
Always use the auto-update feature in Tampermonkey to stay on the latest version.
This script is intentionally minimal:
- It injects a single
<style>tag intohttps://claude.ai/*only - It does not manipulate the DOM
- It does not collect, transmit, or store any data
- It does not make any network requests of its own
- It has no backend, no server, and no authentication
The main realistic attack surfaces are:
- Supply chain via
@updateURL- if this GitHub repo were compromised, a malicious update could be pushed to users automatically - CSS injection - a crafted CSS rule could theoretically be used to obscure UI elements or create visual phishing overlaps on the Claude.ai page
If you believe you have found a security issue in this script:
- Do not open a public GitHub issue for anything that could be exploited before it is fixed
- Report privately by emailing or sending a direct message via GitHub - contact details are on the profile page
- Include as much detail as possible - what the issue is, how it could be exploited, and any suggested fix if you have one
You can expect:
- An acknowledgement within a few days
- A fix or decision (accept/decline) within 7 days for anything confirmed
- A public note in the changelog once resolved, without disclosing exploit details until patched
If the issue is declined, you will receive a clear explanation of why it falls outside scope.
- Only install userscripts from sources you trust
- Review the script source before installing - it is short and readable by design
- Keep Tampermonkey set to check for updates regularly
- If you fork or modify this script, disable
@updateURLand@downloadURLso your modified version does not silently receive upstream updates