Is Stylus safe to use?

Stylus has a risk level of HIGH with an overall risk score of 6.9/10. Our scan detected 83 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Stylus request?

Stylus requests the following permissions: alarms, contextMenus, declarativeNetRequestWithHostAccess, identity, idle, offscreen, scripting, storage, tabs, unlimitedStorage, webNavigation, webRequest, webRequestBlocking. It also requests host access to: , https://userstyles.org/*, https://greasyfork.org/*scripts/*, https://sleazyfork.org/*scripts/*, https://userstyles.world/*.

What is Stylus's risk score?

Stylus has an overall risk score of 6.9/10 (HIGH). Breakdown: Permissions 9.5/10, Code 8.5/10, Combinations 10.0/10, CSP 5.0/10.

ExtSafe

StylusSecurity Analysis

Chromev2.3.17MV3February 18, 2026 at 12:02 PM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

6.9HIGH

6.9 HIGHRaw: 8.6

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 18 permissions including high-risk ones, 71 code findings, 3 dangerous combinations.

Trust Signals(5.0/10)

Users

900K

Rating

4.3(1K reviews)

Status

Featured

Dangerous Combinations(3)

MEDIUMTab tracking API + external communication

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

tabs+tabs API usage + external network

CRITICALNetwork interception + external communication

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

webRequest/webRequestBlocking+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

9.5/10

Code

8.5/10

Combinations

10.0/10

Manifest/CSP

5.0/10

Permissions(18 analyzed)

Code Findings(22 patterns, 71 total)

Libraries(1 detected)

1 library detected

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(2 findings)

Resolved from __MSG_* i18n placeholders:

Description: Redesign the web with Stylus, a user styles manager. Stylus allows you to easily install themes and skins for many popular sites.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

HIGH

content_scriptsAggressive content script injection

Content script runs at document_start in ALL frames on ALL URLs. This gives the extension deep access to every page load, including iframes.

External Domains(33)

33kk.github.io_accounts.google.comaddons.mozilla.orgaddons.opera.comapi.dropboxapi.comchromewebstore.google.comclngdbkpkpeebahjckkjfobafhncgmne.chromiumapp.orgcontent.dropboxapi.comevilmartians.comexample.comexplore.transifex.comgateway.userstyles.orggithub.comgraph.microsoft.comgreasyfork.orggusted.xyzicons.duckduckgo.comkawanet.github.iolesscss.orglogin.microsoftonline.commths.beraw.githubusercontent.comstylelint.iostylus-lang.comupdate.${eupdate.userstyles.orguserstyles.orguserstyles.worlduso.kkx.onewww.dropbox.comwww.example.comwww.w3ctech.com