Is "CoverClick" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: suppress false positive.
Risk context: CRITICAL risk, score 100/100.
Evidence context: threat category none; evidence quality moderate.

CoverClick (version 0.1.0) is a cover letter generation tool published by an anonymous developer using email [email protected]. The extension requests the tabs permission per MANIFEST-SENSITIVE-PERM-TABS in manifest.json, which is legitimate for a tool that reads job posting content from browser tabs.

The 1565 IoC findings are all false positives. Every specific IoC example provided demonstrates the documented XIOC extractor garbage pattern: XIOC-DOMAIN-cachedcleartimeout.call, XIOC-DOMAIN-iterator.call, XIOC-DOMAIN-eventemitter.prototype.off, XIOC-DOMAIN-obj.constructor.name, and XIOC-DOMAIN-buffer2.prototype.compare are JavaScript property access chains misread as domains. These match the exact false positive pattern documented in CVEQ guidelines: "Property access chains misread as domains: b.call, h.next, g.id." None of these are actual network destinations.

The obfuscation finding is bundler noise. The single obfuscation detection OBFUSCATION-FUNCTION_INDIRECT-assets/sidepanel-sH1cyp5E.js-16 occurs in a webpack-bundled asset file. The filename pattern useAccessGate-Daj0lRMS.js and sidepanel-sH1cyp5E.js with hash suffixes is characteristic of webpack/esbuild output, not malicious obfuscation. Per guidelines: "Minified/bundled JavaScript (webpack, esbuild, rollup output) is NOT obfuscation."

Zero malware signatures is decisive. The findings summary shows "malware-signature":"0" and "malware":"0". This is the strongest signal that the extension contains no actual malicious code, regardless of the inflated IoC count.

The 101 code-smell findings are low-severity noise. Per guidelines: "code-smell findings (severity=low, finding_type=code-smell) are NOISE." These fire on basic Node.js patterns and do not indicate malicious intent.

Counterargument: A skeptic could argue the anonymous developer (email-only attribution), zero user count, and 1570 medium-severity findings warrant concern. However, the nature of the findings—not their count—determines risk. Every specific IoC is demonstrably garbage (property access chains), the obfuscation is in bundled assets with webpack naming, and critically, there are zero malware signatures. The tabs permission is appropriate for the stated functionality. Without actual suspicious domains, malware signatures, or credential theft patterns, the finding volume is purely artifact of known false positive patterns.

Recommendation: Suppress these false positive findings. The extension's behavior aligns with its stated purpose, and all detections map to documented noise sources.

Key Reasons

• All IoC findings are property access chain garbage, not real domains
• Zero malware signatures detected
• Obfuscation finding is in webpack-bundled asset file
• Tabs permission is legitimate for cover letter generation functionality
• Code-smell findings are low-severity noise per CVEQ guidelines

False Positive Considerations

• XIOC extractor misreading property access chains as domains
• Webpack bundler output triggering code-smell rules
• Function indirect calls in minified code flagged as obfuscation
• Bundled asset files with hash-suffixed filenames