Is Capital One Shopping: Save Now safe to use?

Capital One Shopping: Save Now has a risk level of CRITICAL with an overall risk score of 9.7/10. Our scan detected 221 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Capital One Shopping: Save Now request?

Capital One Shopping: Save Now requests the following permissions: alarms, tabs, contextMenus, storage, cookies, webRequest, scripting, offscreen. It also requests host access to: *://*/*, , *://*.capitaloneshopping.com/*, *://*.ivf-stage.com/*, *://*.amazon.com/*, *://*.bestbuy.com/*, *://*.homedepot.com/*, *://*.zappos.com/*, *://dealfinder.retailmenot.com/experience/app*.

What is Capital One Shopping: Save Now's risk score?

Capital One Shopping: Save Now has an overall risk score of 9.7/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 7.0/10.

ExtSafe

Capital One Shopping: Save NowSecurity Analysis

Chromev0.1.1344MV3February 16, 2026 at 02:55 PM

9.7CRITICAL

9.7 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 17 permissions including high-risk ones, 208 code findings, 4 dangerous combinations.

Dangerous Combinations(4)

CRITICALCookie access + external network

Extension has cookie access and sends data to external servers — potential session token theft.

cookies+external network request

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

7.0/10

Permissions(17 analyzed)

Code Findings(25 patterns, 208 total)

Libraries(9 detected)

9 libraries detected

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(3 findings)

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(55)

${r${t${t.data.referrallink(wwwaddons.mozilla.orgapi.capitaloneshopping.comapi.ivf-stage.comcapitalone.comcapitaloneshopping.comcdn.capitaloneshopping.comcdn.ivaws.comchromewebstore.google.comclient-logger-api.ivaws.comct.pinterest.comcustom.transactionfb.mefeedback.ebay.comfeedback.ivaws.comfeross.orgfiles.ivaws.comgithub.comgoo.glhealth.amazon.comhelp.capitaloneshopping.comimages.capitaloneshopping.comiv-labs.service.dev.ivivf-stage.comjedwatson.github.iojquery.comjquery.orgjs.pusher.comlibertymutualinsurancelodash.commicrosoftedge.microsoft.commomentjs.commths.bemusic.amazon.com.my.ebay.comnpms.ioopenjsf.orgpartner-api.groupon.compharmacy.amazon.compusher.comreactjs.orgschema.orgsite.ivaws.comtailwindcss.com*underscorejs.orgwww.www.amazon.comwww.apache.orgwww.bestbuy.comwww.ebay.comwww.ibm.comwww.npmjs.com