Is "iMA Prayer" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 80% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 44/100.
Evidence context: threat category none; evidence quality moderate.

The iMA Prayer extension shows 3 network findings, all fetch calls located in popup.js at lines 93, 103, and 139. These network calls are entirely consistent with the extension's stated purpose: a prayer times application must fetch prayer time data from an external API to function. The findings summary confirms zero malware signatures, zero IoCs, zero obfuscation detections, and zero code-smell findings across all scanned files.

The developer identity [email protected] uses a personal Gmail address rather than a verified company domain, which is common for small developers but provides no attribution to a known publisher. The user count of 0 indicates this is either a newly published extension or one that has not gained traction. Neither of these factors alone indicates malicious behavior.

Critically, the IoC extractor found no suspicious domains, IPs, or URLs in the codebase. If this extension were exfiltrating data or communicating with malicious infrastructure, the XIOC extractor would have flagged specific domains. The absence of any IoC findings despite 3 network fetch calls suggests the fetch destinations are benign (likely prayer time API services).

The code structure shows no obfuscation, which is a strong indicator of legitimate code. Malicious extensions typically employ obfuscation to hide their behavior from security tools. The absence of code-smell findings (severity=low) further indicates clean, readable code without suspicious patterns.

Counterargument: A skeptic might argue that the Gmail developer address combined with zero users and network activity could indicate a new malicious extension. However, this argument fails because the network findings lack any specific suspicious indicators. The fetch calls in popup.js target unknown domains, but without IoC extraction showing malicious domains (like query., search., or known bad actors), there is no evidence of data exfiltration or command-and-control communication. Legitimate prayer extensions must fetch data from APIs—this is expected behavior, not suspicious activity. The verdict remains likely_false_positive because the evidence shows normal functionality without any concrete threat indicators.

Key Reasons

• Zero malware signatures across all scanned files
• Zero IoCs extracted despite 3 network fetch calls
• Zero obfuscation findings indicating clean code structure
• Network activity consistent with stated prayer times functionality
• No suspicious domains or URLs detected in codebase

False Positive Considerations

• Generic fetch detection on legitimate API calls
• Personal Gmail developer address flagged as unverified
• Zero user count for new/unpublished extension
• Network findings without suspicious domain extraction