Is "ModBox – Modify headers, block requests" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-30. The review verdict is likely false positive with 85% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 44/100.
Evidence context: threat category none; evidence quality strong.

This extension, "ModBox – Modify headers, block requests," is a legitimate developer tool for modifying HTTP headers and blocking requests. The three findings in assets/index-D0y-2Wgb.js are all generic network operations: two NET-SOCKET_IO calls at lines 24 and 26, and one NET-FETCH call at line 1. These are standard JavaScript networking APIs that any extension performing request interception would use. Socket.io is a widely-used WebSocket library for real-time communication, and fetch is the standard browser API for HTTP requests. Neither indicates malicious behavior.

Critically, the evidence bundle shows zero malware signatures, zero obfuscation findings, zero suspicious IoCs (no malicious domains extracted), and zero code-smell findings. The extension's name and description directly match its functionality—modifying headers and blocking requests is a legitimate use case for developer tools and privacy extensions. The findings do not reveal any credential theft, browser hijacking, or data exfiltration patterns.

The developer uses a personal Gmail address ([email protected]) rather than a verified company account, which is a mild concern but not uncommon for legitimate developer tools. Many open-source developers and independent creators publish extensions with personal emails. This alone does not constitute evidence of malicious intent, especially given the complete absence of other red flags.

The strongest counterargument would be that the extension's ability to modify HTTP headers could theoretically be weaponized for MITM attacks or credential theft. However, this capability is the stated and legitimate purpose of the extension, and there is no evidence in the code findings that it misuses this capability. The network findings show only standard socket_io and fetch operations, not connections to suspicious domains or data exfiltration patterns. If the extension were malicious, we would expect to see: (1) suspicious domains in IoC findings, (2) obfuscation to hide malicious logic, (3) malware signatures, or (4) code-smell patterns indicating credential harvesting. None of these are present. The findings are simply the expected network calls for an extension that intercepts and modifies HTTP traffic.

This is a clear case of CVEQ's network detection rules flagging legitimate network operations. The verdict is likely_false_positive with high confidence.

Key Reasons

• Zero malware signatures in the entire codebase
• Zero obfuscation findings
• Zero suspicious IoCs or malicious domains
• Network findings are standard socket_io and fetch APIs expected for this extension type
• Extension name and description match legitimate functionality

False Positive Considerations

• Generic network API detection (fetch, socket_io) flagged as findings
• No malicious domains or IoCs extracted from code