Is "Image Grabber" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 63/100.
Evidence context: threat category none; evidence quality moderate.

Verdict: Likely False Positive

This extension's security findings are driven entirely by known false-positive patterns in the CVEQ analysis pipeline, not by actual malicious behavior.

IoC Findings Are Garbage

All 88 IoC findings are property access chains misidentified as domains by the XIOC extractor. Specific examples from the evidence include XIOC-DOMAIN-this.next, XIOC-DOMAIN-t.call, XIOC-DOMAIN-array.prototype.slice.call, and XIOC-DOMAIN-this.streaminfo.data. These are JavaScript property access patterns (e.g., this.next, array.prototype.slice.call), not network domains. The file_path for all IoC findings is extracted_from_files, indicating these were extracted from minified JavaScript without proper context. This matches the documented XIOC false-positive pattern where property access chains like b.call, h.next, and g.id are misread as domains.

Network Findings Are Benign

The 4 network findings consist of generic fetch calls in popup.js:49 and popup.js:27. For an image grabber extension, making fetch requests to download images or retrieve image URLs is expected functionality. Critically, none of these network findings reference suspicious domains—no custom search engines, no data exfiltration endpoints, no third-party tracking domains. The findings simply detect the presence of fetch calls, which is normal for any extension that needs to download content.

No Malware Signatures

The findings_summary shows "malware-signature":"0" and "malware":"0". Zero malware signatures were detected. Combined with zero obfuscation findings ("obfuscation":"0"), there is no evidence of malicious payloads.

Extension Metadata Is Consistent

The extension name "Image Grabber" matches its stated purpose: "Find and download main content images from any page. Skips icons, logos, and junk." The developer email [email protected] is visible, not anonymous. While the user count is 0 (indicating a new or unpopular extension), this alone is not a threat indicator.

Counterargument: Why This Might Seem Suspicious

A skeptic could argue that 114 total findings with 92 medium-severity items warrants concern. However, the severity labels are inherited from the XIOC extractor's default classification, not from actual risk assessment. The guidelines explicitly state that IoC COUNT alone is meaningless and that property access chain patterns are well-documented false positives. The 22 code-smell findings are also classified as low severity and match the documented pattern of YARA rules firing on basic JavaScript patterns. None of these findings indicate actual malicious behavior.

Recommendation

Suppress these false positive findings. The extension performs its stated function (image downloading) with no evidence of credential theft, browser hijacking, data exfiltration, or malware delivery.

Key Reasons

• All 88 IoC findings are JavaScript property access patterns, not real domains
• Zero malware signatures detected
• Network findings are legitimate fetch calls with no suspicious destinations
• Extension has clear legitimate purpose matching its description
• Developer email is visible (not anonymous publisher)

False Positive Considerations

• XIOC property access chain false positives (this.next, t.call, array.prototype.slice.call)
• Generic fetch calls in popup.js flagged as network findings
• Code-smell rules firing on standard JavaScript patterns
• Minified JavaScript causing property access misidentification