Is Mendeley Web Importer safe to use?

Mendeley Web Importer has a risk level of HIGH with an overall risk score of 6.0/10. Our scan detected 47 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Mendeley Web Importer request?

Mendeley Web Importer requests the following permissions: notifications, scripting, storage, webRequest. It also requests host access to: .

What is Mendeley Web Importer's risk score?

Mendeley Web Importer has an overall risk score of 6.0/10 (HIGH). Breakdown: Permissions 7.0/10, Code 8.3/10, Combinations 10.0/10, CSP 3.5/10.

ExtSafe

Mendeley Web ImporterSecurity Analysis

Chromev3.3.43MV3February 18, 2026 at 11:38 AM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

6.0HIGH

6.0 HIGHRaw: 7.5

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 5 permissions including high-risk ones, 44 code findings, 2 dangerous combinations.

Trust Signals(5.0/10)

Users

3.0M

Rating

4.7(3K reviews)

Dangerous Combinations(2)

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.0/10

Code

8.3/10

Combinations

10.0/10

Manifest/CSP

3.5/10

Permissions(5 analyzed)

Code Findings(18 patterns, 44 total)

Libraries(1 detected)

1 library detected

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(2 findings)

Resolved from __MSG_* i18n placeholders:

Description: Fast, convenient import of references and PDFs to your Mendeley Reference Manager library.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(21)

${$dapi.elsevier.comapi.ipify.orgbrxt.mendeley.comelsevier.sc.omtrdc.netfb.megit.iogithub.cominsights-collector.newrelic.compdf.sciencedirectassets.comreactjs.orgreader.elsevier.comredux.js.orgservice.elsevier.comwww.elsevier.comwww.howcanishareit.comwww.ibm.comwww.mendeley.comwww.relx.comwww.sciencedirect.comxstate.js.org