Is Grass Lite Node safe to use?

Grass Lite Node has a risk level of HIGH with an overall risk score of 6.0/10. Our scan detected 74 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Grass Lite Node request?

Grass Lite Node requests the following permissions: storage, background, webRequest, declarativeNetRequestWithHostAccess. It also requests host access to: .

What is Grass Lite Node's risk score?

Grass Lite Node has an overall risk score of 6.0/10 (HIGH). Breakdown: Permissions 7.5/10, Code 8.3/10, Combinations 10.0/10, CSP 2.2/10.

ExtSafe

Grass Lite NodeSecurity Analysis

Chromev6.1.3MV3February 18, 2026 at 11:39 AM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

6.0HIGH

6.0 HIGHRaw: 7.5

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 5 permissions including high-risk ones, 71 code findings, 2 dangerous combinations.

Trust Signals(5.0/10)

Users

1.0M

Rating

4.1(3K reviews)

Developer

Grass OpCo (BVI) Ltd

Dangerous Combinations(2)

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.5/10

Code

8.3/10

Combinations

10.0/10

Manifest/CSP

2.2/10

Permissions(5 analyzed)

Code Findings(17 patterns, 71 total)

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(1 finding)

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 4 external pattern(s). Verify these are trusted origins.

External Domains(14)

accounts.google.comapi.grass.ioapi.ipify.orgapp.grass.iodirector.getgrass.iogithub.comgrass-foundation.gitbook.iograss.iolocalhostnpms.iooauth.getgrass.ioreact.devreactrouter.comwww.grass.io