Is "Memoraid - AI自动化发文到小红书、公众号、知乎、头条等自媒体平台" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-28. The review verdict is likely false positive with 75% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 62/100.
Evidence context: threat category none; evidence quality moderate.

Memoraid is an AI content processing extension that summarizes web pages and publishes to Chinese social media platforms (Xiaohongshu, WeChat Official Account, Zhihu, Toutiao). The evidence bundle shows 12 total findings, all medium severity, with zero malware signatures, zero malware findings, and zero suspicious IoCs.

The manifest finding MANIFEST-SENSITIVE-PERM-TABS in manifest.json requests the tabs permission, which is legitimate and necessary for an extension that summarizes web content. The 10 network findings are all fetch and socket_io calls located in bundled asset files: assets/index.ts-DICNo82W.js, assets/storage-BmqP6ncI.js, assets/debug-DwBj1fZa.js, assets/cytoscape.esm-CyJtwmzi.js, and assets/remoteDebug-1FVYx-A3.js. These files follow webpack/esbuild naming conventions (hash-suffixed filenames like CyJtwmzi.js, DICNo82W.js), indicating they are bundled dependencies rather than custom malicious code. No specific suspicious domains are extracted from these network calls.

The single obfuscation finding OBFUSCATION-FUNCTION_INDIRECT in assets/remoteDebug-1FVYx-A3.js is located in a file named "remoteDebug," which suggests debugging or development tooling rather than malicious payload delivery. Function indirect calls are common in minified/bundled JavaScript and do not constitute strong evidence of obfuscation intended to hide malicious behavior.

The strongest counterargument to this verdict is the anonymous developer identity ([email protected]) combined with the obfuscation finding. A skeptic could argue that an unverified developer using obfuscation patterns warrants a higher risk classification. However, the obfuscation finding is isolated to a debug file and represents a single function_indirect pattern, not comprehensive code obfuscation. More importantly, the findings_summary explicitly shows 0 malware signatures and 0 suspicious IoCs. Without malware signatures co-located with obfuscation, or without suspicious domains like query., search., or unknown third-party servers, there is no evidence of intentional harm. The extension's declared purpose (AI content summarization and publishing) aligns with its permissions and network behavior.

The developer anonymity is a minor concern but does not constitute evidence of malicious intent. The low user count (155) indicates this is a niche extension, not a mass-deployment attack vector. Given the absence of malware signatures, suspicious domains, or credential theft patterns, the findings are consistent with bundled dependencies triggering false positive detections.

Key Reasons

• Zero malware signatures and zero suspicious IoCs in findings summary
• Network findings located in bundled asset files with webpack naming conventions
• Tabs permission is legitimate for web content summarization functionality
• Single obfuscation pattern in debug file, not comprehensive obfuscation
• Extension purpose aligns with declared permissions and network behavior

False Positive Considerations

• Bundled dependencies in assets/ directory triggering network findings
• Webpack/esbuild minified code patterns in hash-suffixed filenames
• Function indirect calls in debug files
• No suspicious domains extracted from network calls