Is Co:Writer safe to use?

Co:Writer has a risk level of CRITICAL with an overall risk score of 9.8/10. Our scan detected 269 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Co:Writer request?

Co:Writer requests the following permissions: tabs, scripting, notifications, storage, unlimitedStorage, contextMenus, webRequest, webNavigation, offscreen. It also requests host access to: http://*/*, https://*/*, *://docs.google.com/document/*, , *://docs.google.com/*, *://classroom.google.com/*.

What is Co:Writer's risk score?

Co:Writer has an overall risk score of 9.8/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 7.5/10.

ExtSafe

Co:WriterSecurity Analysis

Chromev5.0.10.844MV3February 16, 2026 at 03:12 PM

9.8CRITICAL

9.8 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 15 permissions including high-risk ones, 259 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

7.5/10

Permissions(15 analyzed)

Code Findings(29 patterns, 259 total)

Libraries(4 detected)

4 libraries detected, 3 with known vulnerabilities

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(3 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(30)

${chrome.runtime.idcdn.devdji.comcdn.donjohnston.netcowriter.comcowriter.qadji.comcowriter.stagedji.comdapi.donjohnston.netdapi.qadji.comdapi.stagedji.comde.wikipedia.orgen.wikipedia.orges.wikipedia.orgfr.wikipedia.orggit.iogithub.comhelp.donjohnston.netlogin.donjohnston.netlogin.qadji.comlogin.stagedji.commarkjs.iotranslate.donjohnston.nettranslate.qadji.comtranslate.stagedji.comtts.donjohnston.nettts.qadji.comtts.stagedji.comwww.apache.orgwww.cambridgelms.orgwww.everway.comwww.google-analytics.com