Is Loom – Screen Recorder & Screen Capture safe to use?

Loom – Screen Recorder & Screen Capture has a risk level of CRITICAL with an overall risk score of 9.7/10. Our scan detected 500 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Loom – Screen Recorder & Screen Capture request?

Loom – Screen Recorder & Screen Capture requests the following permissions: activeTab, alarms, contextMenus, cookies, desktopCapture, scripting, storage, system.cpu, system.display, tabCapture, webNavigation, webRequest. It also requests host access to: , *://.loom.com/, https://www.figma.com/*, https://docs.google.com/spreadsheets/*, https://snowflake.com/*, https://*.github.com/*, https://*.airtable.com/*, https://*.atlassian.net/*, https://trello.com/, https://app.hubspot.com/*, https://www.notion.so/*, https://*.snowflakecomputing.com/console#/*, https://app.slack.com/client/*, https://mail.google.com/*, https://*.monday.com/*, https://www.linkedin.com/*, https://business.facebook.com/*, https://docs.google.com/presentation/*, https://app.asana.com/*, https://docs.google.com/document/*, https://drive.google.com/drive/*, https://app.clickup.com/*, https://*.canva.com/*, https://*.outreach.io/*, https://*.salesloft.com/*, https://meet.google.com/*, https://github.com/*, https://gitlab.com/*, https://app.intercom.io/*, https://*.intercom.help/*, https://support.loom.com/*, https://www.producthunt.com/*, https://www.dropbox.com/*, https://news.ycombinator.com/*, https://*.force.com/*, https://app.salesforceiq.com/*, https://app.outreach.io/*, https://app.salesloft.com/*.

What is Loom – Screen Recorder & Screen Capture's risk score?

Loom – Screen Recorder & Screen Capture has an overall risk score of 9.7/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 7.3/10.

ExtSafe

Loom – Screen Recorder & Screen CaptureSecurity Analysis

Chromev5.5.167MV3February 16, 2026 at 02:58 PM

9.7CRITICAL

9.7 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 50 permissions including high-risk ones, 456 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

CRITICALCookie access + external network

Extension has cookie access and sends data to external servers — potential session token theft.

cookies+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

7.3/10

Permissions(50 analyzed)

Code Findings(29 patterns, 456 total)

Libraries(3 detected)

3 libraries detected, 1 with known vulnerabilities

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(4 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 1 external pattern(s). Verify these are trusted origins.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(30)

${eapi.atlassian-us-gov-mod.comapi.atlassian.comapi.dev.atlassian.comapi.segment.ioapi.statsigcdn.comapi.stg.atlassian-us-gov-mod.comapi.stg.atlassian.comas.atlassian-us-gov-mod.comas.atlassian.comas.staging.atl-paas-us-gov-mod.netas.staging.atl-paas.netcdn.loom.comconfluence.atlassian.comexample.comfb.mefeatureassets.orggithub.commozilla.github.ionpms.ioo55978.ingest.sentry.ioprodregistryv2.orgreactjs.orgstatsigapi.netsupport.atlassian.comteamswww.atlassian.comwww.loom.comxp.atlassian.com{subdomain