Is Web Developer safe to use?

Web Developer has a risk level of HIGH with an overall risk score of 6.8/10. Our scan detected 109 security findings. This extension has significant security concerns — review the full report before installing.

What permissions does Web Developer request?

Web Developer requests the following permissions: browsingData, contentSettings, cookies, history, scripting, storage, tabs. It also requests host access to: .

What is Web Developer's risk score?

Web Developer has an overall risk score of 6.8/10 (HIGH). Breakdown: Permissions 7.5/10, Code 9.6/10, Combinations 10.0/10, CSP 5.8/10.

ExtSafe

Web DeveloperSecurity Analysis

Chromev3.0.1MV3February 18, 2026 at 11:54 AM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

6.8HIGH

6.8 HIGHRaw: 8.5

This extension shows significant risk signals. Review the findings below carefully before installing or continuing to use it.

Based on 8 permissions including high-risk ones, 102 code findings, 3 dangerous combinations.

Trust Signals(4.0/10)

Users

1.0M

Rating

4.8(3K reviews)

Dangerous Combinations(3)

CRITICALBulk cookie access + external network

Extension uses chrome.cookies.getAll for bulk cookie access and sends data to external servers — high risk of session token theft.

cookies+chrome.cookies.getAll + external network

HIGHHistory access + external communication

Extension reads browsing history and sends data externally — potential history exfiltration.

history+external network request

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.5/10

Code

9.6/10

Combinations

10.0/10

Manifest/CSP

5.8/10

Permissions(8 analyzed)

Code Findings(22 patterns, 102 total)

Libraries(16 detected)

16 libraries detected, 11 with known vulnerabilities

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(3 findings)

Resolved from __MSG_* i18n placeholders:

Name: Web Developer

Description: Adds a toolbar button with various web developer tools.

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(24)

*addons.mozilla.orgbeautifier.iobugs.chromium.orgchrispederick.comchromewebstore.google.comcodemirror.netesprima.orggetbootstrap.comgithub.comhtml.spec.whatwg.orgissues.apache.orgjigsaw.w3.orglocalhostmarijnhaverbeke.nlpopper.js.orgsearch.google.comunicode.orgvalidator.w3.orgw3c.github.iowave.webaim.orgwww.cynthiasays.comwww.ecma-international.orgwww.nslookup.io