Is "YT Time Machine" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 78% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 63/100.
Evidence context: threat category none; evidence quality weak.

Extension Overview

"YT Time Machine" (version 1.1) claims to let users "travel back and experience a YouTube channel's golden era" based on its store description. The developer is listed as an email address ([email protected]) with no company attribution, and the extension has 0 users. These factors warrant scrutiny but do not constitute evidence of malicious intent.

Finding Analysis

The evidence contains 32 total findings, but the vast majority are known false positive patterns:

1. IoC False Positives: Of the 20 IoC findings, 4 are clearly property access chains misread as domains: row.target, header.style, row.style, and closebtn.style. These are JavaScript/CSS property accesses (e.g., element.style) that the XIOC extractor incorrectly parses as domain names. This is a well-documented false positive pattern.

2. Benign Domains: The remaining IoCs include https://youtube.com/watch?v=$, https://clients2.google.com/service/update2/crx, https://www.googleapis.com/*, and https://www.youtube.com/* — all legitimate Google/YouTube infrastructure domains.

3. Suspicious Domain: The only potentially concerning IoC is yt-proxy-psi.vercel.app. Vercel is a legitimate hosting platform, and this domain could be the extension's own proxy service for YouTube functionality. Without evidence of data exfiltration or malicious behavior, this domain alone does not confirm malicious intent.

4. Code-Smell Noise: The 10 code-smell findings are classified as low severity and match known noise patterns (basic Node.js patterns, generic code quality rules). Per the guidelines, code-smell findings should not drive verdicts.

5. No Malware Signatures: Critically, there are 0 malware signatures, 0 obfuscation findings, and 0 credential theft patterns. The tabs permission in manifest.json is consistent with the extension's stated YouTube functionality.

Counterargument

A skeptic might argue that the yt-proxy-psi.vercel.app domain combined with the tabs permission and anonymous developer could indicate a data collection or proxyware extension. However, this argument fails because: (1) there is no malware signature evidence, (2) no obfuscation is present, (3) no credential theft patterns exist, and (4) proxy functionality could be legitimate for the stated "time machine" feature. The finding volume is inflated by known IoC false positive patterns, not malicious behavior.

Conclusion

The evidence quality is weak for confirming malicious intent. The findings are consistent with a legitimate but poorly documented extension, with finding volume driven by known false positive patterns rather than actual threats.

Key Reasons

• No malware signatures detected (0 findings)
• IoC findings dominated by false positive patterns (property chains, benign domains)
• Code-smell findings are known noise per CVEQ guidelines
• No obfuscation or credential theft patterns present
• No evidence of data exfiltration or malicious network behavior

False Positive Considerations

• IoC property access chains misread as domains (row.target, header.style)
• Code-smell findings classified as low severity noise
• Benign Google/YouTube infrastructure domains in IoC list
• No malware signatures or obfuscation present