Is __MSG_extension_name__ safe to use?

__MSG_extension_name__ has a risk level of HIGH with an overall risk score of 7.4/10. Our scan detected 214 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does __MSG_extension_name__ request?

__MSG_extension_name__ requests the following permissions: contextMenus, tabs, tts, storage, unlimitedStorage, webRequest, alarms, webNavigation, fileBrowserHandler, scripting, activeTab. It also requests host access to: *://*.parrottalks.com/*, *://parrottalks.com/*, *://www.parrottalks.com/*, *://localhost/*, http://*/*, https://*/*, ftp://*/*, file://*/*.

What is __MSG_extension_name__'s risk score?

__MSG_extension_name__ has an overall risk score of 7.4/10 (HIGH). Breakdown: Permissions 7.0/10, Code 8.4/10, Combinations 10.0/10, CSP 2.2/10.

ExtSafe

__MSG_extension_name__Security Analysis

Chromev1.16.6MV3February 18, 2026 at 12:08 PM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

Known Security Incidents(1)

Critical2024-12Resolved

Compromised in Cyberhaven supply chain attack

Extension was among 35+ extensions compromised in the December 2024 supply chain attack campaign that injected data-stealing code.

7.4HIGH

7.4 HIGH

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 19 permissions including high-risk ones, 202 code findings, 3 dangerous combinations.

Trust Signals(1.0/10)

Users

30K

Rating

2.4(336 reviews)

Dangerous Combinations(3)

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.0/10

Code

8.4/10

Combinations

10.0/10

Manifest/CSP

2.2/10

Permissions(19 analyzed)

Code Findings(30 patterns, 202 total)

Libraries(5 detected)

5 libraries detected, 5 with known vulnerabilities

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(1 finding)

MEDIUM

web_accessible_resourcesJS files exposed to web pages

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

External Domains(71)

**.example.com...pdfaangularjs.orgapi.jquery.comblindsignals.comblogs.msdn.combugs.jquery.combugs.webkit.orgbugzilla.mozilla.orgcaniuse.comcode.google.comcrbug.comcwe.mitre.orgdev.w3.orgdevelopers.whatwg.orgdocs.angularjs.orgdocs.closure-library.googlecode.comdocs.python.orgen.wikipedia.orgerrors.angularjs.orgevil.comexample.comfanyi.youdao.comfetch.spec.whatwg.orgfoo.example.comgist.github.comgithub.comgoo.glgoogle.comgraph.facebook.comhaacked.comjames.padolsey.comjquery.comjquery.orgjsfiddle.netjsperf.commozilla.github.iomsdn.microsoft.commyapp.example.comngmodules.orgnlp.stanford.eduopensource.orgparrottalks2015.wix.comserver.comsizzlejs.comsrv*.assets.example.comsrv01.assets.example.comsrv02.assets.example.comstackoverflow.comtools.ietf.orgtranslate.google.comunicode.orgurl.comurl.spec.whatwg.orgwiki.commonjs.orgwww.apache.orgwww.aptana.comwww.bohemiancoding.comwww.ecma-international.orgwww.facebook.comwww.gravatar.comwww.greensock.comwww.ietf.orgwww.parrottalks.comwww.quirksmode.orgwww.ruby-doc.orgwww.w3schools.comwww.whatwg.orgwww.youdao.comxhr.spec.whatwg.org