Is Tag Assistant safe to use?

Tag Assistant has a risk level of CRITICAL with an overall risk score of 9.4/10. Our scan detected 54 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Tag Assistant request?

Tag Assistant requests the following permissions: scripting, sidePanel, storage, tabs, webNavigation. It also requests host access to: , https://*.google.com/embed/tagging/info/sidepanel*, https://*.google.com/guided_flows/open.

What is Tag Assistant's risk score?

Tag Assistant has an overall risk score of 9.4/10 (CRITICAL). Breakdown: Permissions 10.0/10, Code 10.0/10, Combinations 7.0/10, CSP 7.0/10.

ExtSafe

Tag AssistantSecurity Analysis

Chromev26.34.2.44MV3February 16, 2026 at 03:40 PM

9.4CRITICAL

9.4 CRITICAL

This extension shows critical risk indicators. It requests highly sensitive permissions combined with suspicious code patterns. Proceed with extreme caution.

Based on 8 permissions including high-risk ones, 48 code findings, 1 dangerous combination.

Dangerous Combinations(1)

HIGHTab tracking + external communication

Extension tracks open tabs and communicates with external servers — potential browsing surveillance.

tabs+external network request

Permissions

10.0/10

Code

10.0/10

Combinations

7.0/10

Manifest/CSP

7.0/10

Permissions(8 analyzed)

Code Findings(16 patterns, 48 total)

Libraries(2 detected)

2 libraries detected

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(3 findings)

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

LOW

externally_connectableExternal messaging enabled

Extension accepts messages from 3 external pattern(s). Verify these are trusted origins.

External Domains(23)

*.google.comangular.devangular.ioautopush-conversiontracking-pa-googleapis.sandbox.google.comautopush-conversiontracking-pa.sandbox.googleapis.comautopush-people-pa-googleapis.sandbox.google.comchromewebstore.google.comconversiontracking-pa.clients6.google.comconversiontracking-pa.googleapis.comlocalhost.corp.google.comlodash.comnpms.ioopenjsf.orgpeople-pa.clients6.google.compolymer.github.iosupport.google.comsupporttagging-autopush.sandbox.google.comsupporttagging-staging.sandbox.google.comtagassistant.google.comtagmanager.google.comunderscorejs.orgwww.apache.orgwww.googletagmanager.com