Is "FocusFlow" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 75% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 59/100.
Evidence context: threat category none; evidence quality moderate.

FocusFlow is a productivity extension designed to "Block distractions with timed locks, tasks/points, schedules, and analytics." Analysis of the evidence bundle reveals no indicators of malicious behavior.

Malware and Obfuscation: The findings summary shows zero malware signatures, zero obfuscation findings, and zero suspicious IoCs. This is a strong positive signal. The extension contains no code-smell findings (finding count: 0 in code-smell category), which means YARA rules for suspicious patterns did not trigger.

Network Activity: Four network findings were detected, all classified as NET-AXIOS calls in focusflow_app/src/categories.js:37, focusflow_app/renderer/app.js:10, popup.js:27, and background.js:27. These are generic HTTP library calls using axios, a standard Node.js/JavaScript HTTP client. Critically, no suspicious domains were extracted in the IoC category (count: 0). Without evidence of data transmission to unknown or malicious domains, these network calls are consistent with legitimate API usage for syncing tasks, analytics, or schedules as described in the extension's functionality.

Permissions: The manifest analysis flagged tabs permission as potentially sensitive (MANIFEST-SENSITIVE-PERM-TABS in manifest.json). However, this permission aligns with the extension's stated purpose of blocking distractions and managing focus sessions. A productivity tool that "locks" tabs or tracks browsing activity requires tabs permission to function. This is not evidence of malicious intent.

Dependencies: Two dependency findings were identified in focusflow_app/package.json: electron-store@^8.1.0 and sudo-prompt@^9.2.1. These are legitimate npm packages. electron-store is a configuration storage library, and sudo-prompt handles privilege escalation prompts. Neither is inherently malicious.

Counterargument: A skeptic might argue that the developer identity ([email protected]) is an anonymous email address rather than a verified publisher, and the user count of 1 suggests an untested or suspicious extension. While these are valid concerns for trust assessment, they do not constitute evidence of malicious behavior. The absence of malware signatures, obfuscation, and suspicious IoCs outweighs the anonymous publisher signal. If the extension were malicious, the code analysis would reveal obfuscated payloads, suspicious network destinations, or malware signatures—none of which are present.

Conclusion: The findings are generic patterns that fire on any non-trivial JavaScript extension. The axios calls, tabs permission, and npm dependencies are all consistent with legitimate productivity tool behavior. Without specific evidence of malicious intent, this extension should be classified as a false positive.

Key Reasons

• No malware signatures or obfuscation detected in any files
• Network findings are generic axios calls with no suspicious domains extracted
• Tabs permission aligns with stated distraction-blocking functionality
• Zero IoCs and zero code-smell findings
• Dependencies are legitimate npm packages (electron-store, sudo-prompt)

False Positive Considerations

• Generic axios network calls flagged as findings without domain analysis
• Tabs permission flagged as sensitive despite legitimate use case
• Dependency findings for standard npm packages
• Low finding count driven by manifest and network pattern matching