Is "PageThen: Screenshot Capture & Compare" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 75% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 53/100.
Evidence context: threat category none; evidence quality moderate.

This extension, "PageThen: Screenshot Capture & Compare," presents findings consistent with legitimate screenshot and cloud-sync functionality. The manifest.json file declares the 'tabs' permission (MANIFEST-SENSITIVE-PERM-TABS), which is necessary for any extension that captures web pages. Without this permission, the extension cannot access page content to take screenshots.

The nine network findings are all generic 'fetch' detections across files with clear functional purposes: lib/capture.js:20 handles screenshot uploads, lib/cloudSync.js:509 manages cloud synchronization, lib/auth.js:157 handles user authentication, lib/analytics.js:75 tracks usage metrics, lib/utils.js:111 provides utility functions, and background/service-worker.js contains four fetch calls at lines 948, 1789, 1509, and 1967 for background processing. Critically, none of these network findings include suspicious destination domains—they are simply detecting fetch() API usage, which is standard for any extension that syncs data to cloud storage.

The findings summary shows zero malware signatures, zero obfuscation findings, zero code-smell findings, and zero IoC extractions. This clean profile is inconsistent with malicious extensions, which typically exhibit multiple threat indicators simultaneously. The extension's behavior (tabs access + network calls) directly aligns with its stated purpose (capture web pages + cloud sync).

Counterargument: A skeptic might argue that the extremely low user count (3 users) and generic developer email ([email protected]) warrant caution. While these are valid concerns for new or unknown extensions, they do not constitute evidence of malicious behavior. Many legitimate extensions start with minimal adoption, and a generic email address does not indicate compromise. The absence of malware signatures, obfuscation, suspicious domains, or deceptive naming patterns outweighs these weak signals. If the extension were malicious, we would expect to see at least one concrete threat indicator (malware signature, obfuscated payload, credential theft code, or suspicious network destinations), none of which are present.

The evidence quality is moderate: findings are clear but all represent benign patterns. The verdict is likely_false_positive because the findings are driven by legitimate extension functionality rather than malicious behavior.

Key Reasons

• No malware signatures or obfuscation findings
• Network findings are generic fetch calls without suspicious destinations
• Tabs permission is necessary for screenshot capture functionality
• Extension behavior matches stated purpose (cloud-synced screenshots)
• No typosquatting or impersonation indicators

False Positive Considerations

• Generic fetch() detections without domain analysis
• Tabs permission required for screenshot functionality
• No suspicious IoC domains present
• No malware signatures or obfuscation