Is __MSG_appName__ safe to use?

__MSG_appName__ has a risk level of CRITICAL with an overall risk score of 8.0/10. Our scan detected 39 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does __MSG_appName__ request?

__MSG_appName__ requests the following permissions: nativeMessaging. It also requests host access to: *://*/*, .

What is __MSG_appName__'s risk score?

__MSG_appName__ has an overall risk score of 8.0/10 (CRITICAL). Breakdown: Permissions 8.0/10, Code 7.6/10, Combinations 10.0/10, CSP 6.1/10.

ExtSafe

__MSG_appName__Security Analysis

Edgev15.7.100.1674MV3February 18, 2026 at 08:39 AM

8.0CRITICAL

8.0 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 3 permissions including high-risk ones, 36 code findings, 2 dangerous combinations.

Dangerous Combinations(2)

CRITICALNative messaging + dynamic code execution

Extension communicates with native apps and executes dynamic code — potential sandbox escape vector.

nativeMessaging+eval/Function/dynamic code

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

8.0/10

Code

7.6/10

Combinations

10.0/10

Manifest/CSP

6.1/10

Permissions(3 analyzed)

Code Findings(15 patterns, 36 total)

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(4 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

MEDIUM

update_urlCustom update URL

Extension auto-updates from a custom server (https://edge.microsoft.com/extensionwebstorebase/v1/crx). Side-loaded extensions with custom update URLs can receive updates from arbitrary servers without Chrome Web Store review.