Is "PropertyScoop: Get More Real Estate Insights on Zillow, Redfin, and Realtor" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-28. The review verdict is likely false positive with 75% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 46/100.
Evidence context: threat category none; evidence quality moderate.

This extension, "PropertyScoop: Get More Real Estate Insights on Zillow, Redfin, and Realtor," presents minimal security concerns despite being flagged by automated scanning. The two findings in the evidence bundle are both medium-severity and consistent with legitimate extension behavior.

The manifest finding MANIFEST-SENSITIVE-PERM-TABS in manifest.json flags the tabs permission as potentially sensitive. However, this permission is standard for extensions that overlay data on web pages, which matches the extension's stated purpose of providing property insights on real estate sites like Zillow and Redfin. Without this permission, the extension could not read page content to display property data overlays.

The network finding NET-FETCH-website-token-auth.js-1 indicates a fetch call in the website-token-auth.js file. The filename itself suggests authentication token management, which is legitimate for an extension that needs to communicate with a backend service to retrieve property data. There are zero IoCs extracted from this network call, meaning no suspicious domains were identified in the fetch requests. The absence of extracted domains indicates the network activity does not target known malicious or suspicious endpoints.

Critically, this extension has zero malware signatures, zero obfuscation findings, zero code-smell detections, and zero suspicious IoCs. These are the high-confidence threat indicators that matter. The extension's description explicitly states its purpose: providing information about "power lines, crime, radon, radiation, noise, flooding, wildfire" for real estate properties. This aligns with the minimal findings observed.

Counterargument: A skeptic might argue that the developer identity ([email protected]) is a personal Gmail address rather than a verified company domain, and only 24 users have installed the extension. While these are legitimate concerns for evaluating trust, they do not constitute evidence of malicious behavior. The actual code analysis shows no malware signatures, no obfuscation, no credential theft patterns, and no suspicious network destinations. The developer could be a small independent developer or startup using a Gmail account before establishing a company domain. The low user count may simply indicate the extension is new or niche rather than malicious.

Without malware signatures, obfuscation, suspicious domains, or deceptive naming patterns, the findings are best explained as scanner noise on legitimate extension functionality. The verdict remains likely_false_positive.

Key Reasons

• Zero malware signatures detected
• Zero obfuscation findings
• Zero suspicious IoCs extracted from network activity
• Tabs permission is consistent with stated overlay functionality
• No credential theft or data exfiltration patterns

False Positive Considerations

• Manifest permission flagged as sensitive despite legitimate use case
• Network fetch call in auth file without suspicious domain extraction