Is Momentum safe to use?

Momentum has a risk level of MEDIUM with an overall risk score of 4.2/10. Our scan detected 227 security findings. This extension has some risks worth reviewing.

What permissions does Momentum request?

Momentum requests the following permissions: offscreen, unlimitedStorage, idle, bookmarks, tabs, sessions, topSites, favicon, scripting, alarms, notifications, tabGroups, search. It also requests host access to: https://*.momentumdash.com/*.

What is Momentum's risk score?

Momentum has an overall risk score of 4.2/10 (MEDIUM). Breakdown: Permissions 6.0/10, Code 10.0/10, Combinations 4.0/10, CSP 2.2/10.

ExtSafe

MomentumSecurity Analysis

Chromev2.26.0MV3February 18, 2026 at 11:30 AM

Use with caution

This extension requests significant permissions. It has 2M+ users, a 4.2 star rating, is published by Momentum Dashboard, but review the findings below.

4.2MEDIUM

4.2 MEDIUMRaw: 6.4

This extension shows some risk signals that are common in legitimate extensions but worth reviewing. Check the details below.

Based on 14 permissions including high-risk ones, 219 code findings, 1 dangerous combination.

Trust Signals(6.5/10)

Users

2.0M

Rating

4.2(14K reviews)

Developer

Momentum Dashboard

Status

Featured

Dangerous Combinations(1)

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network

Permissions

6.0/10

Code

10.0/10

Combinations

4.0/10

Manifest/CSP

2.2/10

Permissions(14 analyzed)

Code Findings(18 patterns, 219 total)

Libraries(3 detected)

3 libraries detected

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(1 finding)

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

External Domains(56)

${eaccount.momentumdash.comaccounts.spotify.comapi.momentumdash.comapp.posthog.combit.lybrowser-http-intake.logs.datadoghq.combsky.appcalendar.google.comcontent.momentumdash.comcustomer-fw5z54kkbbca834k.cloudflarestream.comdemo.arcade.softwaredevtools.vuejs.orgdiscord.ggduckduckgo.comget.momentumdash.helpgithub.comgo.microsoft.comhandlebarsjs.comi.giphy.comlu.mamoda.shmodash.blob.core.windows.netmomentum.nolt.iomomentum.photosmomentumdash.commomentumdash.typeform.commths.bentp.msn.comopen.spotify.compinia.vuejs.orgposthog.comprosemirror.netraw.githubusercontent.comsuggestions.momentumdash.helpsupport.apple.comsupport.google.comtinyurl.comus.i.posthog.comus.posthog.comwww.apache.orgwww.bing.comwww.ecosia.orgwww.facebook.comwww.gravatar.comwww.instagram.comwww.joshwcomeau.comwww.linkedin.comwww.lokeshdhakar.comwww.momentumdash.comwww.myndex.comwww.reddit.comwww.threads.netwww.youtube.comx.comyandex.com