Is ProKeys safe to use?

ProKeys has a risk level of MEDIUM with an overall risk score of 5.2/10. Our scan detected 41 security findings. This extension has some risks worth reviewing.

What permissions does ProKeys request?

ProKeys requests the following permissions: tabs, storage, contextMenus, clipboardRead, offscreen, scripting. It also requests host access to: .

What is ProKeys's risk score?

ProKeys has an overall risk score of 5.2/10 (MEDIUM). Breakdown: Permissions 7.0/10, Code 3.3/10, Combinations 10.0/10, CSP 3.9/10.

ExtSafe

ProKeysSecurity Analysis

Chromev4.0.2MV3April 3, 2026 at 10:09 PM

Use with caution

This extension requests significant permissions. It has 70K+ users, a 5.0 star rating, but review the findings below.

5.2MEDIUM

5.2 MEDIUMRaw: 5.8

This extension shows some risk signals that are common in legitimate extensions but worth reviewing. Check the details below.

Based on 7 permissions including high-risk ones, 37 code findings, 3 dangerous combinations.

Trust Signals(3.0/10)

Users

70K

Rating

5.0(222 reviews)

Status

Featured

Dangerous Combinations(3)

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network

CRITICALClipboard read + external communication

Extension reads clipboard and communicates externally — potential credential or crypto address theft.

clipboardRead+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.0/10

Code

3.3/10

Combinations

10.0/10

Manifest/CSP

3.9/10

Permissions(7 analyzed)

Code Findings(15 patterns, 37 total)

Libraries(1 detected)

1 library detected

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(1 finding)

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(13)

docs.google.comgithub.comquilljs.comseveraltales.blogspot.insinghgalus.deviantart.comstackexchange.comtwitter.comwebsite.comwww.chess.comwww.facebook.comwww.linkedin.comwww.paypal.mewww.website.com