Is "YouTube Study Mode" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 75% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 46/100.
Evidence context: threat category none; evidence quality moderate.

The evidence bundle reveals a minimal attack surface with no confirmed malicious indicators. The extension requests the 'tabs' permission (manifest.json), which is standard for YouTube-focused tools that need to access and modify page content to hide distractions and control channel visibility as described in the extension's purpose. The single network finding—a fetch call in popup.js at line 78 (NET-FETCH-popup.js-78)—represents normal extension behavior, likely for fetching configuration settings or YouTube API data, with no suspicious domains flagged in the IoC analysis.

The findings summary confirms zero malware signatures, zero obfuscation indicators, and zero suspicious IoCs. The two medium-severity findings are the tabs permission and the generic fetch call, both of which are necessary for the extension's stated functionality of modifying YouTube's interface for study purposes. No credential theft patterns, browser hijacking indicators, or data exfiltration to unknown domains were detected.

A skeptic might flag the email-based developer attribution ([email protected]) and minimal user count (4) as red flags suggesting a low-quality or potentially malicious extension. However, these are common characteristics for small-scale educational tools and do not constitute evidence of malicious intent. The absence of malware signatures, obfuscation, and suspicious IoCs outweighs these concerns. The version number (4.1) suggests some iteration history, though this alone is inconclusive.

The verdict is likely_false_positive because the flagged findings align with legitimate functionality rather than malicious patterns. The tabs permission enables the extension's core purpose of modifying YouTube pages, and the fetch call is necessary for any extension with backend communication or configuration retrieval. No evidence suggests credential theft, data exfiltration, or browser hijacking. The extension appears to be a legitimate study tool with standard permissions for its use case.

Key Reasons

• No malware signatures or obfuscation detected
• Findings align with stated functionality (YouTube content modification)
• No suspicious domains or data exfiltration patterns in IoC analysis
• Tabs permission is appropriate for extension's purpose of modifying YouTube pages
• Network finding is generic fetch call without malicious domain indicators

False Positive Considerations

• Generic network finding (fetch call without suspicious domain)
• Tabs permission flagged as sensitive despite being legitimate for YouTube modification
• Low user count and email-based developer attribution are not malicious indicators