Is Stylish - Custom themes for any website safe to use?

Stylish - Custom themes for any website has a risk level of CRITICAL with an overall risk score of 9.8/10. Our scan detected 121 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Stylish - Custom themes for any website request?

Stylish - Custom themes for any website requests the following permissions: storage, tabs, alarms, scripting, webNavigation, webRequest, contextMenus. It also requests host access to: *://*/*, http://*/*, https://*/*, .

What is Stylish - Custom themes for any website's risk score?

Stylish - Custom themes for any website has an overall risk score of 9.8/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 10.0/10, CSP 8.2/10.

ExtSafe

Stylish - Custom themes for any websiteSecurity Analysis

Chromev3.4.10MV3February 16, 2026 at 03:40 PM

9.8CRITICAL

9.8 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 11 permissions including high-risk ones, 113 code findings, 3 dangerous combinations.

Dangerous Combinations(3)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

10.0/10

Code

10.0/10

Combinations

10.0/10

Manifest/CSP

8.2/10

Permissions(11 analyzed)

Code Findings(30 patterns, 113 total)

Libraries(2 detected)

2 libraries detected

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(4 findings)

Resolved from __MSG_* i18n placeholders:

Name: Stylish - Custom themes for any website

Description: With hundreds of thousands of themes, skins & free backgrounds, you can customize any website with your own color scheme in a click.

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 2 external pattern(s). Verify these are trusted origins.

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(23)

addons.mozilla.orgaddons.mozilla.org.*stylishaddons.opera.comaddons.opera.com.*stylishapi.mixpanel.comassets.userstyles.orgfb.megateway.userstyles.orggit.iogithub.comgreensock.comi.imgur.comipapi.colocalhostmicrosoftedge.microsoft.commomentjs.comnpms.ioreactjs.orgstylebar-372d9.firebaseio.comuserstyles.orguserstylesapi.comwww.fontspring.comwww.google-analytics.com