Is "RealMarketAPI – Live Prices" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is confirmed risk with 72% confidence.

Recommended action: runtime analysis.
Risk context: MEDIUM risk, score 61/100.
Evidence context: threat category data exfiltration; evidence quality moderate.

The RealMarketAPI – Live Prices extension presents concerning network behavior that warrants classification as a confirmed risk. The extension's stated purpose is displaying real-time crypto, stocks, and commodities prices via RealMarketAPI, but the IoC findings reveal network connections to domains that do not support this functionality.

Two specific IoC findings are genuinely suspicious: XIOC-DOMAIN-d.bid and XIOC-DOMAIN-savebtn.click extracted from files. These domains are not the extension's own service (api.realmarketapi.com), not Google/CDN infrastructure, and not typical analytics providers. A crypto price widget has no legitimate reason to contact bidding (.bid) or click-tracking (.click) domains. The network finding NET-FETCH-popup.js-241 confirms active fetch calls from the popup interface, which could be sending user data to these endpoints.

Several findings are confirmed false positives per CVEQ's documented patterns. The XIOC-IP-::bef is an IPv6 fragment that matches the known FP pattern for hex substrings from minified JavaScript. The XIOC-DOMAIN-symbolsnapshot.map is a file path misidentified as a domain. The code-smell findings (12 total, all low severity) are noise per the guidelines and should not drive verdict. The Google update URL (clients2.google.com/service/update2/crx) is legitimate Chrome infrastructure.

The legitimate IoCs include api.realmarketapi.com URLs and realmarketapi.com documentation links, which align with the extension's stated purpose. However, these do not explain the presence of the suspicious third-party domains.

Counterargument: A skeptic could argue that d.bid and savebtn.click are legitimate affiliate tracking domains for monetizing the API service, which would make this a benign but commercially motivated extension. This is plausible—some free extensions use affiliate links for revenue. However, affiliate tracking should be disclosed in privacy policies, and the extension has no description beyond its store listing. The combination of anonymous publisher ([email protected] email only), zero malware signatures, but active connections to undisclosed third-party domains creates genuine uncertainty about user data handling. Without transparency about what data is sent to these domains, the risk profile remains elevated.

The extension's low user count (3) and version 1.0.0 status indicate it is new and unvetted. While there are no malware signatures or obfuscation, the network behavior to suspicious domains exceeds what is expected for a simple price display widget.

Key Reasons

• Extension contacts suspicious domains (d.bid, savebtn.click) unrelated to price API functionality
• No malware signatures but active network calls to undisclosed third-party endpoints
• Anonymous publisher with only email address, no verified company identity
• Low user count (3) indicates new/unvetted extension

False Positive Considerations

• IPv6 fragment (::bef) from minified JavaScript
• File path misidentified as domain (symbolsnapshot.map)
• Code-smell findings (12 low-severity) are documented noise
• Google Chrome update URL is legitimate infrastructure