Is "Vibe Code Detector" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 63/100.
Evidence context: threat category none; evidence quality moderate.

The Vibe Code Detector extension shows 191 total findings, but every single one stems from known CVEQ false-positive patterns. The 167 IoC findings are all property access chains misread as domains by the XIOC extractor. Specific examples from the evidence include this.animation.play, i.style, ht.read, this.props.style, a.map, and a.target — these are JavaScript property access patterns, not network destinations. This matches the documented false-positive pattern where chains like b.call, h.next, g.id are incorrectly flagged as domains.

The 22 code-smell findings are classified as low severity and likely trigger on generic patterns like postinstall_* rules that match basic Node.js patterns (fetch, exec, fs, crypto). These are explicitly documented as noise that should never drive a verdict. Critically, there are zero malware signatures, zero obfuscation findings, and zero actual suspicious domains in the evidence bundle.

The extension's stated purpose — detecting AI-generated or "Vibe Coding" sites — is a legitimate use case for a developer tool. The developer is listed as [email protected], which is an email address rather than a verified company, but this alone does not indicate malicious intent. The extension has 0 users, suggesting it is newly published or niche, but user count alone does not determine safety.

The strongest counterargument would be that 191 findings represents significant risk. However, finding count is explicitly not evidence — finding nature is. All 167 IoC findings are garbage from the XIOC extractor's property access chain misinterpretation. The 22 code-smell findings are low-severity patterns that fire on almost any non-trivial JavaScript. With zero malware signatures, zero obfuscation, and no real suspicious domains (only parser artifacts), the finding volume is entirely explainable as false positives. A skeptic might point to the email-based developer identity, but anonymous developers publish legitimate extensions regularly, and the code behavior shows no malicious indicators.

Key Reasons

• All 167 IoC findings are property access chains (this.animation.play, a.style) misread as domains by XIOC extractor
• Zero malware signatures detected
• Zero obfuscation findings
• 22 code-smell findings are low-severity generic patterns documented as noise
• Extension purpose (AI code detection) is legitimate with no behavioral red flags

False Positive Considerations

• XIOC property access chain misinterpretation
• Code-smell rules on generic patterns
• High finding count from bundled/minified code