Is Kami for Google Chrome™ safe to use?

Kami for Google Chrome™ has a risk level of CRITICAL with an overall risk score of 9.9/10. Our scan detected 185 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Kami for Google Chrome™ request?

Kami for Google Chrome™ requests the following permissions: webRequest, tabs, webNavigation, contextMenus, storage, declarativeNetRequest, scripting, offscreen, printerProvider. It also requests host access to: , https://www.canva.com/design/*, https://*.instructure.com/*/assignments/*, https://tealearn.instructure.com/courses/*/pages/*, https://*.instructure.com/*/assignments/*/edit*, https://*.instructure.com/*/assignments/new*, https://my.mheducation.com/*, https://classroom.google.com/*, https://classroom.google.com/*g/tg/*, https://drive.google.com/picker*, https://docs.google.com/document/d/*, https://docs.google.com/presentation/d/*, https://docs.google.com/spreadsheets/d/*, https://docs.google.com/*, https://drive.google.com/*, https://*.kami.systems/web/*, https://*.kamihq.com/web/*, https://*.kamipdf.com/web/*, https://*.officeapps.live.com/*, https://*.onedrive.live.com/*, https://*.sharepoint.com/*p*/r/*, https://*.sharepoint.com/*w*/r/*, https://app.peardeck.com/*, https://www.teacherspayteachers.com/**.

What is Kami for Google Chrome™'s risk score?

Kami for Google Chrome™ has an overall risk score of 9.9/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 9.4/10.

ExtSafe

Kami for Google Chrome™Security Analysis

Chromev2.0.22152MV3February 16, 2026 at 02:20 PM

9.9CRITICAL

9.9 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 33 permissions including high-risk ones, 156 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

9.4/10

Permissions(33 analyzed)

Code Findings(27 patterns, 156 total)

Libraries(2 detected)

2 libraries detected, 2 with known vulnerabilities

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(9 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

web_accessible_resourcesJS files exposed to web pages

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

MEDIUM

web_accessible_resourcesJS files exposed to web pages

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 3 external pattern(s). Verify these are trusted origins.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(40)

**.instructure.com*.kami.systems*.kamihq.com*.kamipdf.com*.officeapps.live.com*.onedrive.live.com*.sharepoint.comapi-staging.kamihq.comapi-test.kamihq.comapi.kamihq.comapi.local.kamipdf.comapp.peardeck.comapp.schoology.comasset-cdn.schoology.combeta.kamihq.comclassroom.google.comdocs.google.comdrive-thirdparty.googleusercontent.comdrive.google.comgithub.comhelp.kamiapp.comhelp.kamihq.comimmersivekami.cognitiveservices.azure.comjedwatson.github.iolh3.google.comlocalhostmarked.js.orgmths.bemy.mheducation.comnotify.bugsnag.comradix-ui.comreact.devstorage.googleapis.comtealearn.instructure.comtools.kamihq.comweb.kamihq.comwww.canva.comwww.kamiapp.comwww.teacherspayteachers.com