Is "Research Notes" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-28. The review verdict is likely false positive with 82% confidence.

Recommended action: suppress false positive.
Risk context: HIGH risk, score 76/100.
Evidence context: threat category none; evidence quality moderate.

The 41 network findings in this extension all originate from JQueryStatic.d.ts, a TypeScript type definition file. Every network finding (NET-JQUERY_AJAX-JQueryStatic.d.ts-1724, NET-JQUERY_AJAX-JQueryStatic.d.ts-1752, etc.) represents a method signature declaration in the jQuery type library, not actual executable network calls. TypeScript definition files (.d.ts) are compile-time type declarations that describe API interfaces—they contain no runtime code and cannot execute network requests. The static analysis tool incorrectly flags these type signatures as network activity, which is a well-documented false positive pattern.

The extension's stated functionality—bookmarking, tagging, adding notes, and saving quotes—aligns with the presence of jQuery dependencies. A research notes extension would reasonably use jQuery for DOM manipulation and AJAX calls to save user data. The developer attribution ([email protected]) is an email address rather than a company name, which is common for smaller independent extensions but does not indicate malicious intent.

Critically, there are zero IoC findings, zero malware signatures, and zero code-smell findings. The 4 obfuscation findings are not detailed in the evidence bundle, but without accompanying malware signatures or suspicious domains, obfuscation alone is insufficient for a malicious verdict. The 2 critical and 2 high severity findings are almost certainly from the same JQueryStatic.d.ts file pattern, where severity ratings are inflated for type definition matches.

Counterargument: A skeptic might argue that 46 total findings with 2 critical and 2 high severity ratings warrants concern. However, CVEQ's scoring system has documented biases that inflate severity for type definition files and bundled dependencies. The nature of the findings matters more than their count or severity labels. Every single network finding traces to the same .d.ts file containing jQuery type signatures, not executable JavaScript. If this were truly malicious, we would expect to see suspicious domains in IoCs, malware signatures, or network calls from actual .js files—not type definitions.

Resolution: This extension should be suppressed from malicious alerts. The findings represent static analysis noise from TypeScript type definitions, not actual malicious behavior. No takedown or escalation is warranted.

Key Reasons

• All 41 network findings originate from JQueryStatic.d.ts type definition file, not executable code
• Zero malware signatures and zero suspicious IoCs detected
• Extension functionality matches stated purpose (research notes tool)
• TypeScript .d.ts files cannot execute network requests at runtime

False Positive Considerations

• TypeScript definition file (JQueryStatic.d.ts) scanned as executable code
• jQuery type signatures flagged as network calls
• Severity inflation for type definition matches
• No actual suspicious domains in IoC findings