Is Sponsy safe to use?

Sponsy has a security risk score of 53.37/100 (MEDIUM risk). Our security analysis detected 3 findings. Review the detailed security assessment below to understand the specific risks before installation.

What are the security risks of Sponsy?

Based on our automated security analysis, Sponsy presents medium risk level. The extension is analyzed for malware patterns, secret exposure, network communications, permissions, and supply chain vulnerabilities.

How is the security score calculated?

Risky Plugins calculates security scores using weighted categories: severity of findings (25 points max), malware detections (35 points), secret exposure (28 points), network communications (10 points), and obfuscation (10 points). Scores range from 0-100, with higher scores indicating greater risk.

What does CRITICAL, HIGH, MEDIUM, LOW, MINIMAL risk mean?

CRITICAL (80-100): Severe security issues like malware. HIGH (60-79): Significant vulnerabilities. MEDIUM (40-59): Moderate security concerns. LOW (20-39): Minor issues. MINIMAL (0-19): Very low risk. Always review findings before installing any extension.

Is "Sponsy" on Chrome Web Store Safe to Install?

[email protected] · chrome · v1.2.7

Sponsy is a Chrome extension for newsletter and media teams managing sponsorships in Sponsy. It connects securely to your Sponsy account and gives you a daily view of all booked ad slots for a publication, so you always know what needs to run and when. The extension is built to reduce manual work and context switching when publishing sponsored content. Key features: • View all booked sponsorship slots for a publication, organized by day • Quickly check what ads are scheduled before sending a newsletter • Inject sponsorship content directly into the beehiiv editor • Reduce copy and paste errors and missed placements • Stay aligned with your Sponsy ad calendar without leaving your workflow The beehiiv editor integration lets you insert ads straight from Sponsy into your draft, making it faster and safer to publish sponsored newsletters. This extension is designed for publishers, newsletter operators, and ad ops teams already using Sponsy who want a smoother publishing experience and fewer operational mistakes. A Sponsy account is required to use this extension.

Risk Assessment

Analyzed

53.37

out of 100

MEDIUM

3 security findings detected across all analyzers

Chrome extension requesting 12 permissions

Severity Breakdown

Critical

High

Medium

Low

Info

Finding Categories

Network

Requested Permissions

12 permissions

clipboardRead

Read data from your clipboard

High

tabs

Medium

sidePanel

Low

storage

Low

clipboardWrite

Low

https://getsponsy.com/*

Low

https://app.beehiiv.com/*

Low

https://mail.google.com/*

Low

https://*.hubspot.com/*

Low

https://graphql.getsponsy.com/*

Low

https://api.getsponsy.com/*

Low

http://localhost:3003/*

Low

About This Extension

Detailed Findings

3 total

AI Security Report

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-28. The review verdict is likely false positive with 75% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 53/100.
Evidence context: threat category none; evidence quality weak.

The Sponsy Chrome extension (version 1.2.7) presents minimal security concerns based on the available evidence. The extension has 6 users and is published under the email address [email protected]. The CVEQ analysis identified only 3 medium-severity findings across two categories: manifest analysis and network activity.

The manifest analysis finding (MANIFEST-SENSITIVE-PERM-TABS in manifest.json) indicates the extension requests the 'tabs' permission. This permission allows the extension to access tab information and is commonly used by legitimate extensions for functionality like tab management, content injection, or page interaction. While sensitive, this permission alone does not indicate malicious intent and is standard for many benign extensions.

The two network findings (NET-FETCH-assets/sidepanel.html-B7s-c_q0.js-1 and NET-FETCH-assets/content-script.ts-Bq4ZSEA-.js-1) detect fetch calls in the extension's JavaScript files. These are generic network activity detections that do not reveal specific destination domains or suspicious endpoints. Without domain-level IoC data showing connections to malicious or tracking servers, these network calls represent normal extension behavior for communicating with backend services.

Critically, the evidence bundle contains zero malware signatures, zero obfuscation findings, zero code-smell detections, and zero suspicious IoCs. The absence of these high-confidence threat indicators is significant. Extensions exhibiting malicious behavior typically trigger malware signatures, obfuscation patterns, or suspicious domain connections in their network traffic.

The strongest counterargument to this verdict would be the combination of a generic developer email ([email protected]) and extremely low user count (6 users). This could suggest a throwaway extension created for testing or potentially malicious purposes. However, the actual code analysis shows no evidence of malicious behavior - no credential theft patterns, no browser hijacking indicators, no data exfiltration mechanisms, and no obfuscated payloads. The extension's behavior as detected by the static analysis is consistent with normal, legitimate extension functionality.

Given the minimal finding count, absence of high-confidence threat indicators, and normal code behavior, this extension is classified as likely_false_positive. The findings are driven by standard extension permissions and network activity rather than malicious indicators.