Is "Zoom for Kids" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 44/100.
Evidence context: threat category none; evidence quality strong.

This extension, 'Zoom for Kids' by developer [email protected], presents five medium-severity network findings but zero malware signatures, zero IoCs, and zero obfuscation detections. The network findings are all generic patterns: src/popup/index.js:1 triggers NET-FETCH, src/popup/index.js:40 and src/popup/index.js:38 trigger NET-SOCKET_IO, src/content/index.js:37 triggers NET-SOCKET_IO, and zoom-app/assets/index-CLh9DvZO.js:1 triggers NET-FETCH. These represent standard web development patterns for any extension with a popup UI and real-time communication capabilities.

The extension's stated purpose—providing kid-friendly big buttons for Zoom reactions, hand raise, and mute—aligns with its network behavior. A popup interface requires fetch calls to load resources, and socket.io connections are typical for state synchronization or companion services. Critically, the IoC extractor found zero suspicious domains. If this were credential theft or browser hijacking, the XIOC extractor would have flagged specific malicious domains like query., search., or known C2 infrastructure. The absence of any IoC findings is strong evidence against malicious intent.

The developer uses a Gmail address ([email protected]), which is common for individual developers and not a red flag. The extension name 'Zoom for Kids' describes a third-party helper tool rather than impersonating Zoom itself—it does not claim to be from Zoom officially, and the description clearly states it provides 'kid-friendly big buttons for Zoom reactions.' This is legitimate functionality, not typosquatting.

The zero user count indicates this is either newly published or unlisted, which creates minor uncertainty about maintenance status but does not indicate maliciousness. The version number 1.0.1 suggests early-stage development rather than a long-running operation.

Counterargument: A skeptic might argue that socket.io connections in src/content/index.js:37 could exfiltrate data from Zoom pages, especially given the extension runs on Zoom sites. However, the evidence does not support this claim. The findings only detect the presence of socket.io calls, not their destinations. No suspicious domains appear in the IoC findings. If data exfiltration were occurring, the XIOC extractor would have identified external domains receiving the data. The absence of any IoC findings means either the socket.io connections are to benign services (like the extension's own companion server) or the data is not being transmitted externally. Without specific evidence of suspicious domains, the exfiltration hypothesis remains unsupported.

This extension exhibits normal development patterns for a legitimate Zoom helper tool. The findings are noise from generic network detection rules, not evidence of malicious behavior.

Key Reasons

• Zero malware signatures detected
• Zero IoC findings (no suspicious domains extracted)
• Zero obfuscation detections
• Network findings are generic patterns (fetch, socket.io) without malicious destinations
• Extension purpose aligns with observed behavior

False Positive Considerations

• Generic network detection rules firing on standard fetch and socket.io patterns
• No IoC extraction found suspicious domains despite network activity
• Code-smell rules did not trigger (no code quality issues detected)