Is "LearnicsU" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-28. The review verdict is likely false positive with 75% confidence.

Recommended action: monitor.
Risk context: MEDIUM risk, score 53/100.
Evidence context: threat category none; evidence quality moderate.

The LearnicsU extension (version 4.5.4) is a citation and research tool with 8,000 users. Analysis of the evidence bundle reveals only 3 total findings across the entire codebase, with zero malware signatures, zero suspicious IoCs, and zero code-smell detections.

The manifest analysis finding (MANIFEST-SENSITIVE-PERM-TABS in manifest.json) indicates the extension declares the 'tabs' permission. For a citation tool that creates bibliographies from web pages, this permission is functionally necessary and aligns with the stated purpose described in the extension description.

The network finding (NET-JQUERY_AJAX-158.js-1 in 158.js:1) detects a jQuery AJAX call. jQuery AJAX is a standard, legitimate pattern used by thousands of browser extensions for network requests. Critically, the IoC extractor found zero suspicious domains, meaning no external destinations were flagged as malicious or suspicious. The absence of suspicious network destinations is a strong indicator of benign behavior.

The obfuscation finding (OBFUSCATION-SUSPICIOUS_EXTERNAL_IMPORT-285.js-0 in 285.js:0) is the only high-severity finding. However, without accompanying malware signatures or suspicious IoCs, this finding is ambiguous. Modern JavaScript projects frequently import from external sources (CDNs, npm packages, or bundled dependencies), and the XIOC extractor produces false positives on legitimate external imports. The finding title 'suspicious_external_import' describes the pattern detected, not confirmed malicious behavior.

The developer attribution ([email protected]) provides identifiable contact information, which is better than anonymous publishing. The extension's stated purpose (citation generation in APA, MLA, or Chicago format) is clear and matches the observed behavior (tabs access for reading web content, AJAX calls for processing data).

Counterargument: A skeptic could argue that the high-severity obfuscation finding combined with tabs permission and network calls warrants concern for potential data exfiltration or credential harvesting. However, this argument fails on multiple fronts: there are zero malware signatures (the strongest indicator of actual malicious code), zero suspicious network destinations (the IoC extractor found no concerning domains), and the findings align perfectly with legitimate citation tool functionality. The obfuscation finding alone, without supporting evidence of malicious behavior, is insufficient to declare this extension malicious.

The evidence quality is moderate because we have sufficient findings to analyze, but the obfuscation finding lacks context about what the external import actually contains. The recommended action is to monitor this extension, as the current findings do not warrant suppression but also do not indicate malicious behavior.

Key Reasons

• No malware signatures detected in any file
• No suspicious IoCs or external domains found
• Findings align with legitimate citation tool functionality
• Identifiable developer attribution ([email protected])
• Minimal total finding count (3 findings across entire extension)

False Positive Considerations

• jQuery AJAX is a legitimate web extension pattern
• External imports are common in modern JavaScript projects
• Tabs permission aligns with citation tool purpose