Is Sermon Notetaker safe to use?

Sermon Notetaker has a security risk score of 53.37/100 (MEDIUM risk). Our security analysis detected 4 findings. Review the detailed security assessment below to understand the specific risks before installation.

What are the security risks of Sermon Notetaker?

Based on our automated security analysis, Sermon Notetaker presents medium risk level. The extension is analyzed for malware patterns, secret exposure, network communications, permissions, and supply chain vulnerabilities.

How is the security score calculated?

Risky Plugins calculates security scores using weighted categories: severity of findings (25 points max), malware detections (35 points), secret exposure (28 points), network communications (10 points), and obfuscation (10 points). Scores range from 0-100, with higher scores indicating greater risk.

What does CRITICAL, HIGH, MEDIUM, LOW, MINIMAL risk mean?

CRITICAL (80-100): Severe security issues like malware. HIGH (60-79): Significant vulnerabilities. MEDIUM (40-59): Moderate security concerns. LOW (20-39): Minor issues. MINIMAL (0-19): Very low risk. Always review findings before installing any extension.

Is "Sermon Notetaker" on Chrome Web Store Safe to Install?

[email protected] · chrome · v1.0

Your Personal AI Notetaker for Sermons & Talks Sermon Scribe AI works entirely in the background—listening to any audio playing in your Chrome browser and automatically generating clear, structured sermon notes. No typing, no clicking during the message. How It Works (Fully Automated) Open any sermon, Bible study, or lecture in Chrome (live stream, YouTube, podcast, church website, etc.). Sermon Scribe AI listens to the browser audio in real time—no microphone access needed. The AI processes the spoken content and writes structured notes including: Main topic & Scripture references Key points & subpoints Illustrations & applications Quotable statements Actionable takeaways Key Features Hands-free & non-intrusive – No buttons to press during the message. Start it once, and it runs automatically. Browser audio only – Works with any tab that plays audio. Does NOT use your microphone, so it won’t pick up room noise or conversations. Real-time or post-sermon – Generate notes as the sermon plays or process a recording afterward. Structured output – Notes are organized for easy review, teaching, or sharing. Editable & exportable – Copy to clipboard, export as text, Markdown, PDF, or send to Google Docs/Notion. Supports multiple speakers – Distinguishes between main preacher, prayers, and Scripture reading where possible. No cloud dependency (optional) – Local processing available for privacy (depending on your AI backend setup). Perfect For Pastors & ministry leaders reviewing sermons Bible students & small group leaders preparing discussion guides Church volunteers creating bulletins or summaries Anyone who wants to focus on listening, not note-taking Privacy First Sermon Scribe AI does not record or store audio without your permission. All processing can be done locally, and no audio leaves your device unless you choose a cloud AI option. How to Use Install the extension. Pin it to your toolbar. Play any sermon or teaching in a Chrome tab. Click “Start Listening” once. Get structured notes automatically when the message ends. Requirements Chrome browser (desktop) Internet connection for optional cloud AI (local mode available) Support & Feedback We’re actively improving Sermon Notetaker. We are open to feature requests or bug reports.

Risk Assessment

Analyzed

53.37

out of 100

MEDIUM

4 security findings detected across all analyzers

Chrome extension requesting 6 permissions

Severity Breakdown

Critical

High

Medium

Low

Info

Finding Categories

Network

Requested Permissions

6 permissions

activeTab

Medium

tabs

Medium

storage

Low

tabCapture

Low

offscreen

Low

https://api.groq.com/*

Low

About This Extension

Detailed Findings

4 total

AI Security Report

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: suppress false positive.
Risk context: MEDIUM risk, score 53/100.
Evidence context: threat category none; evidence quality moderate.

The Sermon Notetaker extension demonstrates a clean security profile with no evidence of malicious behavior. The four findings in the evidence bundle are all medium-severity items that directly support the extension's stated purpose of capturing sermon audio and generating AI summaries.

The MANIFEST-SENSITIVE-PERM-TABS finding in manifest.json declares the 'tabs' permission, which is necessary for an extension to access audio from browser tabs. Without this permission, the extension cannot capture sermon audio from web pages. This is expected behavior for the described functionality.

The three network findings (NET-FETCH-background.js-160, NET-FETCH-offscreen.js-83, NET-FETCH-background.js-233) detect generic fetch calls in background.js and offscreen.js. These network operations are required to transmit captured audio data to an AI service for summarization. Critically, the findings do not identify any suspicious destination domains. The evidence shows zero IoCs, meaning no specific external domains were extracted from these network calls. This absence of suspicious domains distinguishes these findings from actual data exfiltration patterns.

The findings summary confirms zero malware signatures, zero obfuscation findings, zero code-smell detections, and zero suspicious IoCs. These are the categories that typically indicate malicious behavior. The complete absence of findings in these categories is strong evidence of benign code.

The strongest counterargument to this verdict would be that the developer uses a personal Gmail address ([email protected]) rather than a verified organization, and the extension has only 1 user, suggesting it could be a testbed for malicious code. However, developer identity alone does not determine maliciousness. The actual code analysis shows no obfuscation, no malware signatures, no suspicious network destinations, and no credential access patterns. Personal Gmail addresses are common for legitimate independent developers and small projects. The low user count indicates a new or niche extension, not necessarily malicious intent. Without evidence of actual harmful behavior in the code, the developer's email address is insufficient grounds for a malicious verdict.

This extension's findings profile matches known false-positive patterns where generic network detection rules trigger on legitimate fetch operations. The verdict is likely_false_positive because the findings are explainable by the extension's documented functionality and lack any specific indicators of malicious intent.