Is Amazon Order Exporter safe to use?

Amazon Order Exporter has a security risk score of 46.26/100 (MEDIUM risk). Our security analysis detected 2 findings. Review the detailed security assessment below to understand the specific risks before installation.

What are the security risks of Amazon Order Exporter?

Based on our automated security analysis, Amazon Order Exporter presents medium risk level. The extension is analyzed for malware patterns, secret exposure, network communications, permissions, and supply chain vulnerabilities.

How is the security score calculated?

Risky Plugins calculates security scores using weighted categories: severity of findings (25 points max), malware detections (35 points), secret exposure (28 points), network communications (10 points), and obfuscation (10 points). Scores range from 0-100, with higher scores indicating greater risk.

What does CRITICAL, HIGH, MEDIUM, LOW, MINIMAL risk mean?

CRITICAL (80-100): Severe security issues like malware. HIGH (60-79): Significant vulnerabilities. MEDIUM (40-59): Moderate security concerns. LOW (20-39): Minor issues. MINIMAL (0-19): Very low risk. Always review findings before installing any extension.

Is "Amazon Order Exporter" on Chrome Web Store Safe to Install?

[email protected] · chrome · v4.0.0

Export your entire Amazon order history to Excel (.xlsx) or CSV in just a few clicks — completely free, forever. What it does Amazon Order Exporter scans your order history and downloads a clean spreadsheet with everything you need: order date, order number, item name, price, order total, quantity, seller, condition, and direct links to every item and order. Key features • Export one year or multiple years at once • Excel export with proper number formatting for prices and clickable hyperlinks • CSV export compatible with Excel, Google Sheets, and any spreadsheet app • Scheduled auto-exports — set it to run daily, weekly, or monthly automatically • Works across all major Amazon storefronts: .com, .co.uk, .ca, .com.au, .de, .fr, .es, .it, .co.jp, .in, .com.mx, .com.br • No account, no sign-up, no data ever leaves your browser Privacy This extension only reads your Amazon order pages while you are logged in. No data is collected, stored, or sent to any external server. Everything happens locally in your browser. Support This extension is free forever. If it saves you time, consider supporting development on Ko-fi. Questions? Reach us at [email protected]

Risk Assessment

Analyzed

46.26

out of 100

MEDIUM

2 security findings detected across all analyzers

Chrome extension requesting 19 permissions

Severity Breakdown

Critical

High

Medium

Low

Info

Finding Categories

Network

Requested Permissions

19 permissions

downloads

Manage, modify, and monitor downloads

High

activeTab

Medium

tabs

Medium

scripting

Low

storage

Low

alarms

Low

notifications

Low

https://www.amazon.com/*

Low

https://www.amazon.co.uk/*

Low

https://www.amazon.ca/*

Low

https://www.amazon.com.au/*

Low

https://www.amazon.de/*

Low

https://www.amazon.fr/*

Low

https://www.amazon.es/*

Low

https://www.amazon.it/*

Low

https://www.amazon.co.jp/*

Low

https://www.amazon.in/*

Low

https://www.amazon.com.mx/*

Low

https://www.amazon.com.br/*

Low

About This Extension

Detailed Findings

2 total

AI Security Report

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 63/100.
Evidence context: threat category none; evidence quality strong.

This extension presents as an Amazon order history exporter with findings that align with its stated functionality. The 54 IoC findings are entirely benign: domains like https://www.amazon.com/*, https://www.amazon.co.uk/*, and https://www.amazon.ca/* match the extension's declared purpose of accessing Amazon order pages. The http://schemas.openxmlformats.org/ URLs are standard OpenXML namespace identifiers required for Excel file generation, not network endpoints. The https://clients2.google.com/service/update2/crx finding is Chrome's legitimate extension update endpoint.

The 19 code-smell findings fall into the known false-positive category per CVEQ documentation. Rules like postinstall_* and credential_* fire on basic JavaScript patterns (fetch, API references) and should not drive verdicts. Critically, there are zero malware signatures and zero obfuscation findings, which are the strongest indicators of actual malicious intent.

The developer identity ([email protected]) is a generic Gmail address rather than a verified publisher, which is a minor concern. However, this alone does not indicate malicious behavior—many legitimate developers use personal email addresses. The extension has 0 users, suggesting it may be new or niche rather than widely distributed malware.

Counterargument: A skeptic might argue that the 75 total findings and anonymous developer warrant caution. However, finding COUNT is explicitly documented as meaningless in CVEQ's known false-positive patterns. The NATURE of these findings matters: all IoCs are either legitimate Amazon domains (matching the extension's purpose) or standard XML namespaces for Excel export. There are no suspicious third-party domains, no credential theft patterns, no browser hijacking indicators, and no malware signatures. The code-smell findings are classified as severity: low and finding_type: code-smell, which the threat model explicitly states should NEVER drive a verdict.

This extension exhibits the classic false-positive profile: high finding volume driven by legitimate functionality (Amazon access + Excel export) triggering generic rules. Without malware signatures, obfuscation, or suspicious domains, there is no evidence of malicious intent.