Is Proton Pass: Free Password Manager safe to use?

Proton Pass: Free Password Manager has a risk level of MEDIUM with an overall risk score of 5.5/10. Our scan detected 354 security findings. This extension has some risks worth reviewing.

What permissions does Proton Pass: Free Password Manager request?

Proton Pass: Free Password Manager requests the following permissions: activeTab, alarms, offscreen, scripting, storage, unlimitedStorage, webNavigation, webRequest, privacy, webRequestAuthProvider, clipboardRead, clipboardWrite. It also requests host access to: https://*/*, http://*/*.

What is Proton Pass: Free Password Manager's risk score?

Proton Pass: Free Password Manager has an overall risk score of 5.5/10 (MEDIUM). Breakdown: Permissions 8.0/10, Code 10.0/10, Combinations 10.0/10, CSP 3.9/10.

ExtSafe

Proton Pass: Free Password ManagerSecurity Analysis

Chromev1.34.2MV3March 16, 2026 at 06:15 PM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

5.5MEDIUM

5.5 MEDIUMRaw: 8.5

This extension shows some risk signals that are common in legitimate extensions but worth reviewing. Check the details below.

Based on 14 permissions including high-risk ones, 346 code findings, 3 dangerous combinations.

Trust Signals(6.5/10)

Users

1.0M

Rating

4.8(6K reviews)

Developer

Proton AG

Status

Featured

Dangerous Combinations(3)

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALClipboard read + external communication

Extension reads clipboard and communicates externally — potential credential or crypto address theft.

clipboardRead+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

8.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

3.9/10

Permissions(14 analyzed)

Code Findings(22 patterns, 346 total)

Content Security Policy

CSP Present(1 issue)

LOW

object-srcobject-src not restricted

object-src is not set to 'none'. Plugins like Flash can be embedded, which may allow code execution.

Manifest Analysis(3 findings)

MEDIUM

web_accessible_resourcesJS files exposed to web pages

JavaScript files are exposed as web-accessible resources. Matched websites can load and interact with extension scripts.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 2 external pattern(s). Verify these are trusted origins.

External Domains(47)

${a*aaccount.proton.meaddons.mozilla.orgapp.simplelogin.ioapps.apple.combbeispiel.decontoh.comdomain.comejemplo.comejemplo.eseksempel.comesimerkki.fiexample.comexemple.catexemple.frexemplo.comexemplo.ptfb.megithub.comloading.retry.widdit.comopenpgpjs.orgornek.compass.proton.meplay.google.comprimer.comproton.meproton.me${eprotonmail.comprotonmail.uservoice.compryklad.comprzyklad.plreactjs.orgredux-toolkit.js.orgredux.js.orgsentrysntt.epicplay.comvoorbeeld.comwikipedia.orgwww.example.comwww.reddit.comxx.comxn--e1aybc