Is "Scan Group Number TuDongChat" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 78% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 44/100.
Evidence context: threat category none; evidence quality moderate.

The Scan Group Number TuDongChat extension exhibits 9 network findings across multiple files, but these are generic "fetch detected" and "socket_io detected" alerts without specific suspicious domains. The network calls in scripts/_content.js:4, scripts/_content.js:5, scripts/_content.js:3, entries/background.js:1, and entries/popup.js:1 are consistent with a ChatGPT customer consulting tool that requires API communication. The file shared/runtime-dom.esm-bundler.js contains bundled framework code (indicated by the "esm-bundler" naming pattern), which explains the jQuery AJAX and Socket.io findings as expected dependency behavior.

Crucially, there are zero malware signatures, zero obfuscation findings, and zero IoC findings in the evidence bundle. The findings_summary explicitly shows "malware-signature":"0" and "obfuscation":"0". This absence of high-confidence threat indicators is the strongest signal that the extension is benign. The extension's stated purpose—supporting customer consulting using ChatGPT AI—aligns with the observed network behavior of making fetch and socket.io calls.

The developer is listed as [email protected], which is an email address rather than a company name. While less ideal than a verified publisher, this does not constitute impersonation or typosquatting. The extension name "Scan Group Number TuDongChat" does not mimic any known popular extension, and there is no evidence of Cyrillic character substitution or icon copying.

The strongest counterargument to this verdict is the email-only developer attribution combined with 7,000 users, which could theoretically enable a malicious extension to reach many victims. However, this argument fails because the actual code findings show no malicious behavior. The network findings are generic API calls without exfiltration patterns, credential access, or connections to suspicious domains. A malicious extension would show at least some malware signatures, obfuscation, or specific suspicious IoCs—none of which are present. The 9 findings are all medium-severity network detections that fire on any extension making API calls, which is expected behavior for a ChatGPT integration tool.

The "Last updated at 09/04/2026" date appears to be a data extraction error or metadata issue rather than evidence of malicious intent, as it is a future date that cannot be verified. Overall, the evidence points to a legitimate extension with standard API communication patterns, and the CVEQ findings represent known false-positive patterns from the network detector.

Key Reasons

• Zero malware signatures detected
• Zero obfuscation findings
• Network findings are generic fetch/socket.io calls consistent with ChatGPT integration
• No suspicious domains in IoC findings
• File structure indicates legitimate bundled application (esm-bundler.js)

False Positive Considerations

• Generic network fetch detection fires on any API call
• Bundled framework code in shared/runtime-dom.esm-bundler.js
• Socket.io library usage triggers network findings
• jQuery AJAX in bundled dependencies