Is "SnapLab" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-28. The review verdict is likely false positive with 75% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 59/100.
Evidence context: threat category none; evidence quality moderate.

SnapLab is a Chinese web assistant extension (developer: [email protected]) designed for image preview, zoom, and rotation functionality. The evidence bundle contains 5 findings across 3 categories, but none indicate confirmed malicious behavior.

Network Activity: The extension declares 3 fetch calls in content-scripts/content.js:1, content-scripts/content.js:2, and background.js:1. However, the findings summary explicitly shows "ioc":"0" — no suspicious domains were extracted. Generic fetch calls without identifiable malicious destinations are common in legitimate extensions that need to communicate with their own services or APIs.

Obfuscation Finding: The high-severity OBFUSCATION-UNICODE_HEAVY flag in content-scripts/content.js:1 is the most concerning signal. However, this is likely a false positive. The extension's description is in Chinese ("网页助手插件，包含图片预览、缩放、旋转等图片处理相关功能"), and Chinese characters are Unicode-heavy by nature. The CVEQ guidelines explicitly note that zero-width Unicode characters in locale/i18n files for non-Latin scripts are legitimate, not steganography. While this finding is in a JS file rather than a locale file, the presence of Chinese text in a Chinese-language extension reasonably explains the unicode_heavy detection.

Manifest Permissions: The MANIFEST-SENSITIVE-PERM-TABS finding in manifest.json is medium severity. The tabs permission is sensitive but legitimate for a web assistant that needs to interact with page content for image processing.

Critical Absences: No malware signatures ("malware-signature":"0"), no suspicious IoC domains, no credential-access patterns, and no code-smell findings. The findings summary shows "code-smell":"0" and "malware":"0", which is significant.

Counterargument: A skeptic would argue that the combination of high-severity obfuscation, anonymous developer (gmail address), and zero users suggests a potentially malicious extension in early deployment. However, this reasoning fails to account for the lack of any actual malicious indicators. Obfuscation alone without malware signatures or suspicious network destinations does not constitute evidence of harm. The unicode_heavy pattern in a Chinese-language extension is a documented false-positive pattern. The zero user count and early version (0.0.11) indicate this is likely a developer's test extension rather than a deployed threat.

The verdict is likely_false_positive because the findings are explainable by benign factors (Chinese text triggering unicode detection, legitimate fetch calls without malicious destinations) and lack the corroborating evidence required for a malicious verdict (malware signatures, suspicious domains, credential theft patterns).

Key Reasons

• No malware signatures or suspicious IoC domains detected
• Unicode_heavy finding likely triggered by Chinese language content
• Generic fetch calls without malicious destinations
• Extension description matches stated image-processing functionality
• No code-smell or credential-access findings present

False Positive Considerations

• Unicode-heavy detection triggered by Chinese text in extension
• Generic fetch calls without suspicious domain extraction
• No malware signatures or credential-access patterns found
• Zero IoC domains extracted despite network activity