Is "FoxSpark" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: no action.
Risk context: HIGH risk, score 69/100.
Evidence context: threat category none; evidence quality moderate.

FoxSpark is an AI-powered draft generator for X/Twitter with 78 total findings, but the nature of these findings indicates systematic false positives rather than malicious behavior.

The 51 IoC findings are predominantly garbage from the XIOC extractor. Examples include XIOC-DOMAIN-parsed.host, XIOC-DOMAIN-date.now, XIOC-DOMAIN-state.hotevents.map, XIOC-DOMAIN-event.author, XIOC-DOMAIN-action.select, XIOC-DOMAIN-ui.dot, XIOC-DOMAIN-persona.author, XIOC-DOMAIN-clusters.map, and XIOC-DOMAIN-windowinfo.id. These are JavaScript property access chains being misread as domains—a documented false positive pattern in the CVEQ system. None of these represent actual network destinations.

The only legitimate-looking IoC is XIOC-URL-https://api-foxspark.tomo.services, which is consistent with the extension's stated purpose as an AI draft generator requiring backend API calls. The other URL finding XIOC-URL-https://clients2.google.com/service/update2/crx is Google's standard Chrome extension update endpoint, not suspicious behavior.

The 23 code-smell findings are classified as severity=low and represent benign patterns like standard Node.js operations, API key references, and code quality rules. Per the CVEQ guidelines, code-smell findings should never drive a verdict. The 2 obfuscation findings lack specificity in the evidence bundle, and without malware signatures co-located with obfuscation, this does not indicate malicious intent.

Critically, the findings summary shows 0 malware signatures and 0 malware findings. This is the most important signal—confirmed malicious extensions have actual malware signatures, not just high IoC counts from property chain extraction errors.

The strongest counterargument would be that 78 total findings with 51 IoCs represents significant risk. However, the guidelines explicitly state that IoC COUNT alone is meaningless and that property access chains like b.call, h.next, g.id are known false positives. The extension has a legitimate developer email ([email protected]), a coherent description matching its likely functionality, and no evidence of credential theft, browser hijacking, typosquatting, or malware delivery. The finding volume is driven by extractor noise, not malicious code.

The extension is new (version 0.1.0, 0 users), which warrants monitoring but does not constitute evidence of harm.

Key Reasons

• All 51 IoC findings are property access chains misread as domains (known XIOC false positive pattern)
• Zero malware signatures and zero malware findings in the evidence
• Single legitimate API endpoint (api-foxspark.tomo.services) matches extension's stated AI draft generator purpose
• Code-smell findings are low-severity and should not drive verdict per guidelines

False Positive Considerations

• XIOC property access chain extraction errors
• Code-smell rule noise on standard JavaScript patterns
• Google Chrome update endpoint flagged as IoC