Is OrbitNote safe to use?

OrbitNote has a risk level of CRITICAL with an overall risk score of 9.7/10. Our scan detected 117 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does OrbitNote request?

OrbitNote requests the following permissions: webRequest, scripting, tabs, gcm, idle, alarms, webNavigation, storage, identity, identity.email. It also requests host access to: https://www.google-analytics.com/, https://*/*, http://*/*, https://orbit.texthelp.com/, https://pdf.dev.texthelp.com/, https://orbit-kit-client-dev-mc.texthelp.dev/*, https://localhost:3000/, https://orbitnote-stg.dev.texthelp.com/*, https://orbitnote.dev.texthelp.com/*, https://orbit.texthelp.com/*, https://orbit.texthelp.com/v2/*, https://pdf.dev.texthelp.com/*, https://localhost:3000/*, http://localhost:3000/*, file:///*/*.pdf, file:///*/*.PDF, https://classroom.google.com/*, *://*/*.

What is OrbitNote's risk score?

OrbitNote has an overall risk score of 9.7/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 7.3/10.

ExtSafe

OrbitNoteSecurity Analysis

Chromev7.0.4MV3February 16, 2026 at 02:59 PM

9.7CRITICAL

9.7 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 28 permissions including high-risk ones, 93 code findings, 2 dangerous combinations.

Dangerous Combinations(2)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

7.3/10

Permissions(28 analyzed)

Code Findings(20 patterns, 93 total)

Libraries(4 detected)

4 libraries detected, 1 with known vulnerabilities

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(4 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 2 external pattern(s). Verify these are trusted origins.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(45)

app.schoology.combugs.chromium.orgbugzilla.mozilla.orgcode.google.comcontent-people.googleapis.comcrbug.comdeveloper.microsoft.comdevelopers.google.comdocs.closure-library.googlecode.comdrive.google.comelectronjs.orgen.wikipedia.orgfb.megist.github.comgithub.comhtml.spec.whatwg.orgid.wikisource.orginfra.spec.whatwg.orgjv.wikipedia.orglocalhostmessaging-db.texthelp.commessaging.texthelp.commodernizr.commomentjs.comnew.gramota.runodejs.orgorbit.texthelp.compdfviewer-9152a.firebaseio.compraleska.proreactjs.orgstackoverflow.comta.wikipedia.orgtexthelp-pdf-reader.firebaseio.comtexthelpuk-my.sharepoint.comtools.ietf.orgurl.spec.whatwg.orgw3c.github.iowww.andismith.comwww.apache.orgwww.googleapis.comwww.owasp.orgwww.quirksmode.orgwww.thespanner.co.ukwww.unicode.orgwww.whatwg.org