Is VivoKey Vault safe to use?

VivoKey Vault has a security risk score of 0/100 (MINIMAL risk). Our security analysis detected 0 findings. Review the detailed security assessment below to understand the specific risks before installation.

What are the security risks of VivoKey Vault?

Based on our automated security analysis, VivoKey Vault presents minimal risk level. The extension is analyzed for malware patterns, secret exposure, network communications, permissions, and supply chain vulnerabilities.

How is the security score calculated?

Risky Plugins calculates security scores using weighted categories: severity of findings (25 points max), malware detections (35 points), secret exposure (28 points), network communications (10 points), and obfuscation (10 points). Scores range from 0-100, with higher scores indicating greater risk.

What does CRITICAL, HIGH, MEDIUM, LOW, MINIMAL risk mean?

CRITICAL (80-100): Severe security issues like malware. HIGH (60-79): Significant vulnerabilities. MEDIUM (40-59): Moderate security concerns. LOW (20-39): Minor issues. MINIMAL (0-19): Very low risk. Always review findings before installing any extension.

Is "VivoKey Vault" on Firefox Add-ons Safe to Install?

Name: VivoKey Vault
Availability: InStock
Author: Riley Gall

Riley Gall · firefox · v1.43.6

Risk Assessment

Analyzed

out of 100

MINIMAL

0 security findings detected across all analyzers

Firefox extension requesting 13 permissions

No Threats Detected

This extension passed all security checks

About This Extension

The open source VivoKey Vault browser extension connects to the VivoKey Vault hosted data service (based on the popular Bitwarden project). Account registration and authentication is done strictly using VivoKey cryptobionic chip implants, scanned via NFC. To learn more, visit <a href="https://prod.outgoing.prod.webservices.mozgcp.net/v1/5a6b30d16a2251d06557566d07ad72f4053343f13034999be911a3b6273cc85f/http%3A//www.vivokey.com/vault" rel="nofollow">www.vivokey.com/vault</a> Source code is available via Github at <a href="https://prod.outgoing.prod.webservices.mozgcp.net/v1/7b10cddd32a6bfed6fca5617db4ca6eb2e7ecda23914b1d1199d10032ebe6398/https%3A//github.com/VivoKey/vault-browser" rel="nofollow">https://github.com/VivoKey/vault-browser</a> Our privacy policy can be found here: <a href="https://prod.outgoing.prod.webservices.mozgcp.net/v1/2a2f0a0329641d2297d2668b59a2ca110d6ebbd9c2de26c9125789c1129a00f5/http%3A//vivokey.com/vault-privacy" rel="nofollow">http://vivokey.com/vault-privacy</a> and the short version is below: We only collect the information you choose to give us, and we process it with your consent, or on another legal basis; we only require the minimum amount of personal information that is necessary to fulfill the purpose of your interaction with us; we don't sell it to third parties; and we only use it as this Privacy Statement describes. If you're visiting us from the EU, please see our global privacy practices: we comply with the General Data Protection Regulation (GDPR). No matter where you are, where you live, or what your citizenship is, we provide the same standard of privacy protection to all our users around the world, regardless of their country of origin or location.

No Findings

All security checks passed

AI Security Report

AI Security Analysis: VivoKey Vault

Analysis generated: 2025-12-12T21:18:03+13:00
Model: gemini-3-pro-preview

Quick Facts

Property	Value
UUID	`0084be17-11fc-51e0-be7d-d55996d09463`
Type	firefox
Version
Users	2
Risk Score	100.0/100 (CRITICAL)
Malware Detected	⚠️ Yes
Secrets Exposed	✅ No
Critical Vulns	✅ No

AI Analysis

Executive Summary

The VivoKey Vault extension for Firefox presents a CRITICAL security risk, evidenced by a maximum Risk Score of 100/100 and a Trust Score of 0/100. The analysis detected over 2,200 security findings, including 205 high-severity malware signatures and over 2,000 Indicators of Compromise (IOCs). The findings strongly suggest the extension contains unpruned development dependencies, potential supply chain compromises, or malicious scripts capable of system manipulation and persistence. Immediate removal or avoidance of this extension is strongly advised.

Threat Assessment

The security posture of this extension is alarming due to the volume and nature of the findings.

Supply Chain & Dependency Risks: The prevalence of postinstall_ YARA signatures (e.g., postinstall_system_command, postinstall_network_communication) strongly suggests that the developer has included the entire node_modules directory (including development dependencies) in the final extension package. In the Node.js ecosystem, "postinstall" scripts are a common vector for supply chain attacks. Their presence in a browser extension is highly irregular and dangerous.
System Integrity Threats: The analysis flagged capabilities for persistence_mechanism, file_manipulation, and system_command. A browser extension should generally not require or possess the ability to execute system-level commands or establish persistence outside the browser environment.
Potential Credential Leak: The finding YARA--credential_env_files indicates the potential inclusion of .env files, which developers often use to store API keys, database passwords, and other secrets. If these are bundled in the extension, they are publicly readable.
Obfuscation: The presence of postinstall_obfuscation indicates code that is intentionally hidden or packed, preventing easy analysis. While sometimes used for IP protection, in this context, it raises suspicion of concealed malicious functionality.

Risk Justification

The 100/100 Risk Score is fully justified based on the following factors:

High-Severity Volume: 206 High-severity findings is an exceptionally high number for a browser extension, indicating a fundamental lack of security hygiene or active malicious intent.
Malware Signatures: 205 distinct malware signature matches indicate code patterns identical to known malicious software or compromised NPM packages.
Massive IOC Count: 2,001 Indicators of Compromise suggests the extension references a vast network of suspicious domains, IPs, or file hashes, likely stemming from bloated and compromised dependencies.
Unverified Publisher: The developer "Riley Gall" is unverified, and the user count is extremely low (2), providing no community trust or reputation to counterbalance the technical findings.

Key Findings

Suspicious Post-Install Scripts: Multiple findings (e.g., postinstall_system_command, postinstall_network_communication) indicate the presence of scripts designed to run after installation, capable of executing shell commands and opening network connections.
Persistence Mechanisms: The postinstall_persistence_mechanism finding suggests code designed to maintain access to the host system across restarts, a behavior typical of malware.
Exposed Secrets: YARA--credential_env_files suggests the developer may have accidentally published internal configuration files containing sensitive secrets.
Cryptographic Weakness: YARA--NoUseWeakRandom indicates the use of insecure random number generators, which is critical given the extension appears to be a "Vault" for identity/keys.
Obfuscated Code: postinstall_obfuscation highlights code segments that have been deliberately obscured, hindering transparency and auditability.

Recommendations

DO NOT INSTALL: Under no circumstances should this extension be installed in a production environment or on a machine containing sensitive data.
Immediate Removal: If installed, remove the extension immediately. Given the "persistence" findings, a full anti-malware scan of the host machine is recommended after removal.
Credential Rotation: If you have installed this extension, assume any credentials stored within it or accessible to the browser (saved passwords, active sessions) are compromised. Rotate these credentials immediately.
For the Developer:
- Implement Bundling: Use a bundler (like Webpack, Rollup, or Parcel) to compile only the necessary code. Do not upload the node_modules folder.
- Secret Management: Remove .env files from the build artifact. Use environment variables during the build process instead.
- Dependency Audit: Run npm audit or similar tools to identify and remove compromised dependencies in your project tree.

Mitigation Strategies

Given the Critical risk level, standard mitigation is insufficient. However, if analysis is required for research purposes:

Isolated Environment: Only run this extension inside a disposable Virtual Machine (VM) or a sandbox with no network access to the host or internal networks.
Network Monitoring: If the extension must be run, monitor all outbound network traffic to identify where the 2000+ IOCs are attempting to connect.
Code Review: Extract the .xpi (Firefox extension file) and manually inspect the file structure. Look specifically for a node_modules folder and .env files to confirm the source of the findings.

Confidence Assessment

Confidence Level: 80%

The confidence is high regarding the presence of dangerous code patterns due to the specific YARA matches. However, the location is listed as unknown_file for many findings. This ambiguity prevents 100% certainty regarding whether the malicious code is active (executable by the browser) or passive (inert files inside a zipped dependency folder). Regardless of whether the code is active or inert, the security risk remains Critical due to the attack surface it presents.

Disclaimer

This analysis was generated by an AI model and should be reviewed by security professionals. The findings are based on automated security scanning and may include false positives. Always verify critical findings manually before taking action.

Source Code Viewer

Source Code Not Available

Source code is not available for this version of the extension.