Is API Tester Pro — REST Client safe to use?

API Tester Pro — REST Client has a security risk score of 43.58/100 (MEDIUM risk). Our security analysis detected 3 findings. Review the detailed security assessment below to understand the specific risks before installation.

What are the security risks of API Tester Pro — REST Client?

Based on our automated security analysis, API Tester Pro — REST Client presents medium risk level. The extension is analyzed for malware patterns, secret exposure, network communications, permissions, and supply chain vulnerabilities.

How is the security score calculated?

Risky Plugins calculates security scores using weighted categories: severity of findings (25 points max), malware detections (35 points), secret exposure (28 points), network communications (10 points), and obfuscation (10 points). Scores range from 0-100, with higher scores indicating greater risk.

What does CRITICAL, HIGH, MEDIUM, LOW, MINIMAL risk mean?

CRITICAL (80-100): Severe security issues like malware. HIGH (60-79): Significant vulnerabilities. MEDIUM (40-59): Moderate security concerns. LOW (20-39): Minor issues. MINIMAL (0-19): Very low risk. Always review findings before installing any extension.

Is "API Tester Pro — REST Client" on Chrome Web Store Safe to Install?

[email protected] · chrome · v1.2.1

Test REST APIs from your browser. Send GET, POST, PUT, DELETE requests with headers and body. View formatted JSON responses.

Risk Assessment

Analyzed

43.58

out of 100

MEDIUM

3 security findings detected across all analyzers

Chrome extension requesting 1 permission

Severity Breakdown

Critical

High

Medium

Low

Info

Finding Categories

Network

Requested Permissions

1 permission

storage

Low

About This Extension

Test REST APIs from your browser. Send GET, POST, PUT, DELETE requests with headers and body. View formatted JSON responses.

Detailed Findings

3 total

AI Security Report

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is benign but powerful with 75% confidence.

Recommended action: runtime analysis.
Risk context: MEDIUM risk, score 44/100.
Evidence context: threat category none; evidence quality moderate.

This extension presents as a REST API testing tool with three network findings that align with its declared functionality. The extension's description states it "Test REST APIs from your browser. Send GET, POST, PUT, DELETE requests with headers and body," and the findings confirm this: popup/popup.js:67 contains a fetch call, and popup/license_validator.js contains two additional fetch calls at lines 104 and 138. These network calls are the expected behavior for an API testing extension—the core function of this tool is to make HTTP requests to user-specified endpoints.

No malware signatures were detected in any scanned files. The findings summary shows zero matches for malware-family patterns, zero obfuscation indicators, and zero suspicious IoC domains. This absence of malicious indicators is significant: confirmed malware typically exhibits at least one of these patterns, particularly when combined with network activity.

The license_validator.js file warrants attention. This file makes two fetch calls that likely communicate with a licensing server. While this could represent a legitimate SaaS licensing model (common for "Pro" tier extensions), the anonymous publisher ([email protected]) means we cannot verify the legitimacy of this licensing infrastructure. Runtime analysis would reveal what domains the license validator contacts and what data it transmits.

Counterargument: A skeptic might argue that the anonymous Gmail developer address combined with a license validation mechanism creates sufficient uncertainty to warrant a more cautious verdict. However, this argument overweights publisher identity while underweighting the actual code behavior. The extension performs exactly what it claims to do (API testing), the network findings are functionally necessary for that purpose, and there is no evidence of data exfiltration, credential theft, or other malicious patterns. The license validator is a business model concern, not a confirmed security threat.

The extension has zero users, indicating it is either newly published or has limited adoption. This limits the attack surface but also means there is no community validation of its behavior. The extension should be monitored for updates that might introduce suspicious behavior, but the current evidence supports a benign classification.