Is "IFS Cloud Query Builder" on Chrome Web Store Safe to Install?

AI Security Review

Risky Plugins reviewed this extension with an AI-assisted security workflow on 2026-04-27. The review verdict is likely false positive with 85% confidence.

Recommended action: no action.
Risk context: MEDIUM risk, score 53/100.
Evidence context: threat category none; evidence quality moderate.

The IFS Cloud Query Builder extension presents a clean security profile with only 3 medium-severity findings, all of which are functionally expected for its stated purpose. The MANIFEST-SENSITIVE-PERM-TABS finding in manifest.json declares the 'tabs' permission, which is necessary for any extension that needs to interact with web pages—in this case, IFS Cloud list screens to create and export queries. This permission is not inherently malicious; it is the standard mechanism for content scripts to read and modify page elements.

The two NET-FETCH findings (background.js:747 and background.js:1112) represent network calls that are expected for an extension designed to export query results as CSV/Excel files. These fetch calls likely communicate with IFS Cloud APIs or handle file generation. Without evidence of suspicious destination domains, these network calls are benign operational requirements.

Critically, this extension has zero malware signatures, zero obfuscation findings, zero IoCs, and zero code-smell findings. The absence of these high-confidence threat indicators is a strong signal of legitimacy. The extension name 'IFS Cloud Query Builder' is specific to a legitimate enterprise software platform (IFS Cloud) and does not impersonate any well-known extension. The developer uses a personal Gmail address ([email protected]), which is common for individual developers creating niche tools.

The strongest counterargument to this verdict would be the anonymous publisher and zero user count, which could indicate a newly deployed malicious extension. However, this argument is weak because: (1) the finding profile contains no actual threat indicators—only functional permissions and network calls; (2) there are no obfuscation, malware, or suspicious domain findings that would accompany malicious intent; and (3) the extension's stated purpose aligns with its technical capabilities. If this were malicious, we would expect to see credential access patterns, suspicious domains in IoCs, or obfuscated payloads—none of which are present. The evidence supports a benign extension with expected security findings.

Key Reasons

• Zero malware signatures, obfuscation findings, or suspicious IoCs detected
• Manifest tabs permission is functionally required for page interaction
• Network fetch calls are expected for data export functionality
• Extension name is specific to legitimate IFS Cloud platform
• Finding profile shows no high-confidence threat indicators

False Positive Considerations

• Manifest permission 'tabs' is functionally required for page interaction
• Network fetch calls are expected for data export functionality
• No IoC, malware, or obfuscation findings present
• Clean finding profile with no suspicious patterns