Last updated: 2026-05-19 (covers v1.7.1)
CL Desk Assistant (“the extension”) does not collect, transmit, sell, share, or store any user data outside the user’s own browser. There is no telemetry, no analytics, no tracking, and no third-party scripts.
v1.7 keeps the same four productivity tools as v1.2 through v1.6, with feature enhancements layered on top rather than new tools. v1.7 itself adds one new built-in Word Alerts detector (the fifth) that flags the distinctive copy-button layout left behind when an agent pastes plain-text content from an internal chatbot UI (CloudLinux’s chatbot-internal, ChatGPT, GitHub Copilot, …): a standalone Copy code or DownloadCopy code line, plus the language label on the preceding line when present (bash, python, powershell, json, …). The match is whole-block exact (the block’s normalized text must equal the artifact, not contain it) so prose like “use bash to run this” or “press Ctrl+C to copy code” does not trip. No network calls, no LLM call — fully local pattern matching. v1.6 added a “Copy article reference” button on public Zendesk Help Center article pages. v1.5 introduced the fourth built-in Word Alerts detector that flags pasted Zendesk Help Center article links the customer cannot actually open. v1.4 added WEBP source-file support to the Snippets image pipeline; v1.3 introduced the first three built-in AI-content detectors. New in vX markers below show which version introduced each piece.
/agent/ and /knowledge/ URL paths), so customer-pasted content, prior ticket comments, and Zendesk’s own UI text never trigger them:
<a href> values inside the composer for the substrings chatgpt.com and utm_source=chatgpt. No external lookup, no LLM call, no network traffic; the match is a plain regex on the href string./knowledge/..., which covers both the legacy /knowledge/articles/<id> editor URL and the newer Knowledge unified-editor /knowledge/editor/<ulid>/<locale> URL), any agent-side URL (/agent/...), and any Help Center admin URL (/hc/admin/...) is flagged synchronously by URL shape alone — no network request, since these paths are agent-only by definition. URLs that match the public Help Center shape /hc/<locale>/articles/<id> additionally require a live unauthenticated HTTPS request to your same Zendesk tenant to decide; see the “Network calls the extension makes” section below for the full description of that request. Cross-tenant *.zendesk.com URLs (a different subdomain than the one the agent is currently composing on) are ignored entirely. No LLM call, no external service.chatbot-internal, ChatGPT, GitHub Copilot, …): a standalone Copy code or DownloadCopy code line, plus the language label on the immediately preceding line when it is one of a fixed list (bash, sh, shell, console, output, terminal, pwsh, powershell, python, js, ts, json, yaml, sql, go, rust, c, cpp, c#, java, kotlin, swift, ruby, php, html, css, xml, dockerfile, nginx, ini, toml, diff, markdown, plaintext, text, and common variants). The match is whole-block exact (the block’s normalized text must equal the artifact, not contain it), so prose like “use bash to run this” or “press Ctrl+C to copy code” does not trip. No external lookup, no LLM call, no network traffic; the match is a plain regex over the block’s normalized text.{{ticket.id}}, {{ticket.subject}}, {{client.name}}, {{client.email}}, {{user.name}}, {{date.today}}), inline images via paste/drop (PNG/JPEG/GIF/WEBP accepted; WEBP and GIF are transcoded in-browser to JPEG or PNG so the output set stays narrow for downstream email-client compatibility; all images downscaled to max 1024 px and compressed in-browser; capped at 256 KB per image, 2 MB per snippet, 8 images per snippet), and a JSON Backup & Restore card in Settings that exports your snippets, word-alert keywords, Find/Replace last-used inputs, and preferences to a local file you save yourself, and re-imports the same shape on demand.
All user-configurable data is stored locally in your browser via
chrome.storage
(local for snippet bodies, sync for the smaller settings):
chrome.storage.local on this device only and are not synced across browsers.chrome.storage.session (cleared when the browser quits). Each entry records only a previously-fetched Zendesk Help Center article URL, the classification verdict (public or non-public), and the timestamp at which it was cached. Entries expire after one hour. The cache exists so the extension does not repeat the same reachability check while an agent is editing a draft.data: URLs — no separate image files are written, and no external image hosts are contacted.The Backup & Restore feature in the Settings tab is user-initiated only. When you click Export, the extension serializes the items above into a JSON file and asks your browser to save it to your local Downloads folder. When you click Import, you select a previously-exported JSON file from your local disk; nothing is uploaded anywhere. Smart Refresh runtime state (running/stopped, tick counter) is deliberately excluded from both export and import as per-device runtime state. Changed in v1.3: Find/Replace last-used inputs are now included in the backup so a new-device restore brings them along.
None of this data leaves your browser. The extension does not connect to any third-party server, does not send anything to the developer, and does not report crashes or usage events.
The extension’s only network calls are to your own Zendesk subdomain’s REST API, using your existing Zendesk session cookies (the same ones your browser already sends to zendesk.com). These calls are made only when a snippet that contains a ticket-, client-, or user-scoped variable is being expanded:
GET /api/v2/users/me.json — agent name, for {{user.name}}.GET /api/v2/tickets/<id>.json — ticket subject, for {{ticket.subject}}.GET /api/v2/users/<requester_id>.json — requester name and email, for {{client.name}} and {{client.email}}.Responses are kept in memory for 30 seconds and then discarded. They are never written to disk, never transmitted elsewhere, and never shared with any third party.
New in v1.5: when the “Detect non-public Zendesk article links”
built-in detector is on (the default), and the agent pastes an article URL into the
reply composer whose shape matches the public Help Center pattern
/hc/<locale>/articles/<id>, the extension’s
background service worker performs one additional HTTPS request to
classify the link:
GET https://<your-tenant>.zendesk.com/api/v2/help_center/articles/<id>.json
— Zendesk’s public Help Center JSON API for the numeric article ID
parsed out of the pasted URL. Locale-agnostic; the API returns the
article’s default-locale visibility verdict. The request is made with
credentials: 'omit', so no Zendesk session cookies,
no authorization headers, and no other credentials are sent. It is what
an anonymous, signed-out browser would receive. The verdict is read from the
HTTP status alone: 200 means the article is visible to anonymous
readers (public); 401, 403, 404,
or any other non-2xx status means Zendesk withheld the article from the
anonymous caller (non-public — covers drafts, agent-only
articles, signed-in-only articles, and user-segment-restricted articles, since
Zendesk’s API returns 404 for any article not visible to the requester
rather than disclosing existence). A network error or 8-second timeout is
classified unknown and the link is left unflagged.
This request is scoped to the same Zendesk tenant the agent is
currently composing on (the originally-pasted URL’s hostname must equal
location.host; cross-tenant *.zendesk.com hostnames
are skipped). Verdicts are cached locally for one hour in
chrome.storage.session so the same URL does not produce repeated
requests, and the cache is cleared when the browser quits. Nothing about the
request, the response, or the classification is transmitted anywhere outside
your browser, and no third party (including the developer) is involved.
New in v1.6: on Zendesk Help Center article pages of the shape
/hc/<locale>/articles/<id>, the extension uses the
same verification call described above to decide whether to mount a small
“Copy article reference” button next to the
article title. The button only appears for articles the verification
classifies as public; restricted articles, drafts, agent/admin URLs
and any URL with a ?preview=… query never receive the
button. Clicking it writes a rich-HTML anchor (the article title as the
visible text, the article URL as the hyperlink target) to your local
clipboard, plus the article URL as plain text for paste targets that
don’t accept rich content. The clipboard write happens entirely in
your browser via the standard navigator.clipboard.write API;
no additional network call is made beyond the verification described
above (which is itself already cached for one hour), no data is
transmitted to the extension developer or any third party.
The extension’s content scripts run on:
https://*.zendesk.com/* — the primary Zendesk Support UI.https://*.cloudlinux.com/* and https://*.zdusercontent.com/*
— only inside iframes that Zendesk embeds within ticket views (CloudLinux Doctor diagnostic
reports linked from tickets, and Zendesk-hosted ticket attachments). Content from these iframes is
inspected only to highlight word-alert keywords and to detect snippet shortcut typing. None of it
is transmitted off-device or stored.
One content script (zendesk-mainworld.js) runs in the page’s main JavaScript world
rather than the extension’s isolated world. This is required to access Zendesk’s
CKEditor 5 reply composer via its model API (the editor ignores DOM mutations from isolated content
scripts). The main-world script communicates with the rest of the extension only via
window.postMessage using a typed protocol; it makes no network requests, never reads
chrome.storage, and imports no third-party libraries.
storage — to persist snippets, word-alert keywords, and settings on this device.offscreen (new in v1.2) — to create a hidden, non-visible extension page used solely to play the optional Word Alerts Critical-match beep through the Web Audio API. The offscreen page is created with the documented AUDIO_PLAYBACK reason, has no DOM-visible UI, makes no network requests, accesses no user data, and exists only to host an oscillator-based two-tone synthesis routine. It is needed because Chrome MV3 content scripts cannot reliably play Web Audio under the autoplay policy.https://*.zendesk.com/* — to inject the productivity tools
onto your Zendesk subdomain and to call the Zendesk REST API for variable resolution.
Cross-domain content-script matches for cloudlinux.com and
zdusercontent.com are declared on individual content scripts to enable iframe
coverage for keyword highlighting and snippet shortcut detection; they are not requested as
broad host permissions, and the extension does not fetch from those origins.<a href> strings, a fixed-glyph character class on composer text, and a count of consecutive empty paragraph-level children in the composer — not calls to any AI service. The fourth built-in detector (introduced in v1.5, non-public Zendesk article links) is a reachability check against your own Zendesk tenant’s Help Center, not an AI call. No prompts are sent to any AI provider. No third-party AI SDK (Anthropic, OpenAI, etc.) is bundled into the production build.
The extension declares a single default keyboard shortcut, Alt+Shift+Z, mapped to
Chrome’s standard _execute_action command to open the popup. You can change or
remove it at any time from
chrome://extensions/shortcuts. No other
keystrokes are captured or recorded.
Issues, questions, or feedback: https://github.com/Taha-Alian/zendesk-cl-extension/issues