Is "YouTube Watch Later (Shorts + Subscriptions)" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-28. The review verdict is likely false positive with 75% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 44/100.
Evidence context: threat category none; evidence quality moderate.

This extension presents 11 network findings, all classified as medium-severity NET-FETCH detections. The findings are distributed across two files: nine fetch calls in youtube-api.js (lines 84, 112, 172, 199, 248, 287, 356, 384, 417) and two fetch calls in regular-ext/auth.js (lines 81, 113). Critically, these findings only indicate the presence of fetch API calls—they do not specify any destination domains, and the IoC count is zero. This is the key distinction: without evidence of suspicious domains being contacted, fetch calls alone are insufficient to establish malicious behavior.

The extension's stated purpose is to add YouTube Shorts and subscription videos to a Watch Later playlist using keyboard shortcuts. This functionality legitimately requires YouTube API interaction, making the presence of fetch calls in youtube-api.js expected and consistent with the extension's description. The file regular-ext/auth.js similarly aligns with authentication workflows for YouTube OAuth or similar mechanisms. There are no malware signatures, no obfuscation findings, and no code-smell detections in the evidence bundle.

The findings summary confirms zero IoCs, zero malware signatures, zero obfuscation findings, and zero code-smell findings. The 11 network findings represent all findings in the bundle, and they are all generic fetch detections without domain-level specificity. This pattern is characteristic of false-positive noise from the CVEQ platform's network detection rules, which flag any fetch call regardless of destination.

Counterargument: A skeptic might argue that the developer uses a personal Gmail address ([email protected]) rather than a verified company domain, and the extension has only 3 users, which could indicate a newly deployed malicious extension. While these factors warrant awareness, they are not evidence of malicious behavior. Many legitimate indie developers publish extensions using personal emails, and low user counts are common for niche tools. The actual code analysis shows no suspicious domains, no credential exfiltration patterns, no browser hijacking mechanisms, and no obfuscation. The network activity aligns with the extension's stated YouTube API functionality. Without specific evidence of suspicious domains or malicious code patterns, the generic fetch findings do not justify a malicious verdict.

The evidence quality is moderate: findings exist but are generic network detections without domain-level specificity. The verdict is likely_false_positive because the findings are driven by known CVEQ noise patterns (generic fetch detection) rather than actual malicious indicators.

Key Reasons

• All 11 findings are generic fetch calls without suspicious domains
• Zero IoCs, malware signatures, or obfuscation findings
• Network activity aligns with legitimate YouTube API functionality
• No evidence of credential theft, hijacking, or data exfiltration

False Positive Considerations

• Generic NET-FETCH findings without domain specificity
• Zero IoC count despite 11 network findings
• No malware signatures or obfuscation detected