Is Coinbase Wallet extension safe to use?

Coinbase Wallet extension has a risk level of MEDIUM with an overall risk score of 4.9/10. Our scan detected 206 security findings. This extension has some risks worth reviewing.

What permissions does Coinbase Wallet extension request?

Coinbase Wallet extension requests the following permissions: activeTab, alarms, scripting, storage. It also requests host access to: https://*/*, http://localhost/*, http://127.0.0.1/*, http://0.0.0.0/*.

What is Coinbase Wallet extension's risk score?

Coinbase Wallet extension has an overall risk score of 4.9/10 (MEDIUM). Breakdown: Permissions 7.0/10, Code 4.0/10, Combinations 10.0/10, CSP 4.3/10.

ExtSafe

Coinbase Wallet extensionSecurity Analysis

Chromev3.137.0MV3February 18, 2026 at 12:00 PM

Use with caution

This extension requests significant permissions. It has 1M+ users, a 4.9 star rating, but review the findings below.

4.9MEDIUM

4.9 MEDIUMRaw: 6.1

This extension shows some risk signals that are common in legitimate extensions but worth reviewing. Check the details below.

Based on 8 permissions including high-risk ones, 201 code findings, 1 dangerous combination.

Trust Signals(4.5/10)

Users

1.0M

Rating

4.9(889 reviews)

Dangerous Combinations(1)

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.0/10

Code

4.0/10

Combinations

10.0/10

Manifest/CSP

4.3/10

Permissions(8 analyzed)

Code Findings(24 patterns, 201 total)

Libraries(1 detected)

1 library detected

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(2 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

External Domains(114)

${a${e${e.apiendpoint${i${t*0.0.0.0127.0.0.1analytics-service-dev.cbhq.netanalytics-service-internal-dev.cbhq.netanalytics-service-internal.cbhq.netapi-goerli-optimistic.etherscan.ioapi-goerli.arbiscan.ioapi-goerli.etherscan.ioapi-optimistic.etherscan.ioapi-sepolia.etherscan.ioapi-testnet.polygonscan.comapi.arbiscan.ioapi.coinbase.comapi.etherscan.ioapi.polygonscan.comapi.wallet.coinbase.comapp.ens.domainsarbiscan.ioas.coinbase.comasset-metadata-service-production.s3.amazonaws.combasescan.orgbit.lyblockscout.combscscan.comchain-proxy.wallet.coinbase.comcloudflare-eth.comcoinbase.comconnect.trezor.iocryptotaxcalculator.iod3r81g40ycuhqg.cloudfront.netdapp-dev-internal.cbhq.netdapp-internal.cbhq.netdapp-qa-internal.cbhq.netdapp-staging-internal.cbhq.netdjly28hup5duz.cloudfront.netdocs.cbhq.netdocs.cloud.coinbase.comdocs.ethers.iodogechain.infodynamic-assets.coinbase.comethereum.api.nodesmith.ioetherscan.ioexplorer.base.orgexplorer.fantom.networkexplorer.testnet.fantom.networkexplorer.zora.energygateway.ipfs.iogit.iogithub.comgo.cb-w.comgo.wallet.coinbase.comgoerli-explorer.base.orghardhat.orghelp.coinbase.comholesky.etherscan.iohomebase.coinbase.comkeys.coinbase.comlinks.ethers.orglive.blockcypher.comlocalhostlordchain-explorer-testnet.appchain.base.orglordchain-explorer.appchain.base.orgmetacade-explorer-testnet.appchain.base.orgmetacade-explorer.appchain.base.orgmomentjs.comnft.coinbase.comnpms.ioofframp-wallet-dev.cbhq.netofframp.wallet.coinbase.comonramp-api-dev.cbhq.netonramp.wallet.coinbase.comoptimism-sepolia.blockscout.comoptimistic.etherscan.iopay-dev.cbhq.netpay.coinbase.compolygonscan.comraw.githubusercontent.comreact.devres.cloudinary.comrpc-redirect-jsonrpc-dev.cbhq.netrpc.ankr.comrpc.wallet.coinbase.comsandbox-explorer-testnet.appchain.base.orgsepolia.arbiscan.iosepolia.basescan.orgsepolia.etherscan.iosnowtrace.iosol-mainnet.wallet.coinbase.comsolana.fmstatic-assets.coinbase.comtestnet.bscscan.comtestnet.snowtrace.iotinyurl.comtwitter.comwallet-api-dev.cbhq.netwallet-api-production.s3.amazonaws.comwallet-dev.cbhq.netwallet-qa.coinbase.comwallet-staging.cbhq.netwallet.coinbase.comwww.coinbase.comwww.cointracker.iowww.ethercluster.comwww.example.comwww.reddit.comwww.smartwallet.devwww.walletlink.orgzetachain.blockscout.com