Is "VibeMate" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-05-11. The review verdict is likely false positive with 70% confidence.

Recommended action: monitor.
Risk context: MEDIUM risk, score 61/100.
Evidence context: threat category none; evidence quality moderate.

VibeMate is a browser extension claiming to improve livestream viewing experiences on YouTube and similar platforms. The analysis reveals 11 total findings, but none indicate confirmed malicious behavior.

Manifest Analysis: The extension requests the 'tabs' permission (MANIFEST-SENSITIVE-PERM-TABS in manifest.json), which is standard for extensions that need to interact with web pages. This permission alone does not indicate malicious intent.

Network Activity: Eight network findings were detected across multiple files including chunks/pageMessage-DYAM8feB.js, content-scripts/common.js, content-scripts/site.js, content-scripts/camsite.js, and background.js. These findings represent generic fetch and socket_io calls without any specific suspicious domain destinations. The absence of malicious domain IoCs (0 in threat_indicators) is significant—the network activity appears consistent with a livestream enhancement tool communicating with streaming platforms.

Obfuscation Concerns: Two high-severity obfuscation findings (OBFUSCATION-UNICODE_HEAVY) were detected in content-scripts/camsite.js:1 and content-scripts/site.js:4. While unicode_heavy obfuscation can be used to hide malicious code, it is also commonly employed to protect intellectual property. The critical distinction is that no malware signatures matched in the analysis (malware-signature: 0, malware: 0).

Developer Attribution: The developer is listed as [email protected], an email address rather than a verified company name. While this reduces trust compared to established publishers, it does not confirm malicious intent.

Counterargument: A skeptic could argue that the combination of high-severity obfuscation findings, an anonymous email-based developer, and 40,000 users warrants concern. However, obfuscation alone without malware signatures, suspicious domain connections, or credential theft indicators is insufficient evidence of malicious behavior. The extension's stated purpose (livestream enhancement) aligns with the observed network patterns, and the absence of any actual malware signatures or data exfiltration indicators strongly suggests these are false positives from generic detection rules.

The verdict is likely_false_positive because the findings represent code-smell patterns (obfuscation, network calls) rather than confirmed malicious behavior. The extension should be monitored for future updates, but current evidence does not support a malicious classification.

Key Reasons

• No malware signatures detected (malware-signature: 0)
• No suspicious domain IoCs found (ioc: 0)
• Network activity consistent with livestream functionality
• Obfuscation present but no malicious payload confirmed
• Extension purpose matches observed behavior

False Positive Considerations

• Generic fetch/socket_io network detections without specific domains
• Unicode heavy obfuscation common in legitimate code protection
• Code-smell findings without malware signatures