Is FormFlow safe to use?

FormFlow has a security risk score of 64.9/100 (MEDIUM risk). Our security analysis detected 185 findings. Review the detailed security assessment below to understand the specific risks before installation.

What are the security risks of FormFlow?

Based on our automated security analysis, FormFlow presents medium risk level. The extension is analyzed for malware patterns, secret exposure, network communications, permissions, and supply chain vulnerabilities.

How is the security score calculated?

Risky Plugins calculates security scores using weighted categories: severity of findings (25 points max), malware detections (35 points), secret exposure (28 points), network communications (10 points), and obfuscation (10 points). Scores range from 0-100, with higher scores indicating greater risk.

What does CRITICAL, HIGH, MEDIUM, LOW, MINIMAL risk mean?

CRITICAL (80-100): Severe security issues like malware. HIGH (60-79): Significant vulnerabilities. MEDIUM (40-59): Moderate security concerns. LOW (20-39): Minor issues. MINIMAL (0-19): Very low risk. Always review findings before installing any extension.

Is "FormFlow" on Chrome Web Store Safe to Install?

[email protected] · chrome · v0.1.0

FormFlow is a form automation extension built for developers, QA engineers, and testers. Fill any web form with realistic test data in one click, record your form interactions, and export them as ready-to-run Playwright test scripts. ━━━━━━━━━━━━━━━━━━━━━━━ FORM FILLING ━━━━━━━━━━━━━━━━━━━━━━━ ● One-click form fill with realistic data — names, emails, phone numbers, addresses, companies, and 50+ field types ● Smart field detection using labels, placeholders, ARIA attributes, and data-testid selectors ● Works with all major frontend frameworks, component libraries, and standard HTML forms ● Locale-aware data generation for English, Arabic, German, French, and Spanish ● Reproducible fills with seed values — the same seed always generates the same data ● Handles native selects, checkboxes, radio buttons, textareas, date inputs, and contenteditable fields ● Full support for cascading dropdowns, virtualized lists, and searchable comboboxes ━━━━━━━━━━━━━━━━━━━━━━━ RECORDING & REPLAY ━━━━━━━━━━━━━━━━━━━━━━━ ● Record form interactions step by step — every click, selection, and text entry ● Replay recordings to repeat the exact same form fill ● Smart replay engine with retry logic for dynamic content, virtualized dropdowns, and async-loaded fields ● Automatic deduplication of noisy or duplicate recorded events ━━━━━━━━━━━━━━━━━━━━━━━ PLAYWRIGHT TEST EXPORT ━━━━━━━━━━━━━━━━━━━━━━━ ● Export recordings as ready-to-run Playwright test scripts — copy and paste into your test suite ● Export form data as JSON for data-driven testing ● Generate reproducible bug reports with exact steps to fill and submit a form ━━━━━━━━━━━━━━━━━━━━━━━ PROFILES & CUSTOM RULES ━━━━━━━━━━━━━━━━━━━━━━━ ● Create reusable fill profiles with custom field values for different forms ● Match profiles to URLs with wildcard patterns ● Define global field rules that apply across all sites ● Override any auto-detected field with your own value ━━━━━━━━━━━━━━━━━━━━━━━ ADVANCED FEATURES ━━━━━━━━━━━━━━━━━━━━━━━ ● Auto-click "Add" buttons to reveal hidden product rows, line items, or parcels ● Auto-expand collapsed sections and accordion panels before filling ● Option to preserve existing field values or overwrite them ● Fill unknown dropdowns and text inputs with generic test data ● Validation preview — scan a form to see field constraints before filling ● Configurable keyboard shortcuts for quick fill, scan, and highlight ━━━━━━━━━━━━━━━━━━━━━━━ KEYBOARD SHORTCUTS ━━━━━━━━━━━━━━━━━━━━━━━ ● Ctrl+Shift+F (Cmd+Shift+F on Mac) — Fill form instantly ● Ctrl+Shift+S (Cmd+Shift+S on Mac) — Scan and highlight form fields ● Ctrl+Shift+H (Cmd+Shift+H on Mac) — Toggle field highlighting ━━━━━━━━━━━━━━━━━━━━━━━ PRIVACY & SECURITY ━━━━━━━━━━━━━━━━━━━━━━━ ● All data stays local in your browser — nothing is ever sent to any external server ● No analytics, no tracking, no telemetry ● No account or sign-up required ● No external network requests ━━━━━━━━━━━━━━━━━━━━━━━ MULTILINGUAL INTERFACE ━━━━━━━━━━━━━━━━━━━━━━━ ● Full UI translations: English, Arabic (العربية), German (Deutsch), French (Français), Spanish (Español) ━━━━━━━━━━━━━━━━━━━━━━━ WHO IS IT FOR? ━━━━━━━━━━━━━━━━━━━━━━━ ● QA engineers filling the same form hundreds of times during testing ● Developers testing form validation, error states, and edge cases ● Support teams reproducing customer-reported form bugs ● Anyone tired of manually typing test data into web forms FormFlow is completely free. No premium tier, no feature gating, no limits. Need help or have feedback? Contact us at [email protected]

Risk Assessment

Analyzed

64.9

out of 100

MEDIUM

185 security findings detected across all analyzers

Chrome extension requesting 5 permissions

Severity Breakdown

Critical

High

144

Medium

Low

Info

Finding Categories

Obfuscation

Network

133

IoC Indicators

YARA Rules Matched

10 rules(33 hits)

LocalStorageShouldNotBeUsed postinstall file manipulation postinstall network communication postinstall file download postinstall system command NoUseWeakRandom postinstall crypto operations postinstall obfuscation SQLInjection postinstall persistence mechanism

Requested Permissions

5 permissions

<all_urls>

Access and modify data on every website you visit

Dangerous

activeTab

Medium

scripting

Low

storage

Low

contextMenus

Low

About This Extension

Detailed Findings

42 total

YARA Rule Matches

10 rules

Indicators of Compromise

Network indicators, suspicious strings, and potential IoCs extracted during analysis

URLs

IP Addresses

Domains

116

Strings

133

All Indicators · 133

Domain

detected Domain: bank.com

XIOC detected Domain: bank.com

extracted_from_files

Domain

detected Domain: n.target

XIOC detected Domain: n.target

extracted_from_files

Domain

detected Domain: e.select

XIOC detected Domain: e.select

extracted_from_files

Domain

detected Domain: window.ng

XIOC detected Domain: window.ng

extracted_from_files

detected IP: ::

XIOC detected IP: ::

extracted_from_files

URL

detected URL: http://www.w3.org/2000/svg

XIOC detected URL: http://www.w3.org/2000/svg

extracted_from_files

URL

detected URL: http://www.w3.org/1999/xhtml

XIOC detected URL: http://www.w3.org/1999/xhtml

extracted_from_files

URL

detected URL: https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap

XIOC detected URL: https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&display=swap

extracted_from_files

URL

detected URL: http://www.w3.org/2000/svg'

XIOC detected URL: http://www.w3.org/2000/svg'

extracted_from_files

URL

detected URL: https://www.$

XIOC detected URL: https://www.$

extracted_from_files

URL

detected URL: https://example.com/$

XIOC detected URL: https://example.com/$

extracted_from_files

URL

detected URL: http://www.w3.org/1999/02/22-rdf-syntax-ns#

XIOC detected URL: http://www.w3.org/1999/02/22-rdf-syntax-ns#

extracted_from_files

URL

detected URL: http://ns.adobe.com/exif/1.0/

XIOC detected URL: http://ns.adobe.com/exif/1.0/

extracted_from_files

URL

detected URL: https://clients2.google.com/service/update2/crx

XIOC detected URL: https://clients2.google.com/service/update2/crx

extracted_from_files

URL

detected URL: https://fonts.googleapis.com

XIOC detected URL: https://fonts.googleapis.com

extracted_from_files

URL

detected URL: https://fonts.gstatic.com

XIOC detected URL: https://fonts.gstatic.com

extracted_from_files

URL

detected URL: https://example.com

XIOC detected URL: https://example.com

extracted_from_files

URL

detected URL: https://i.pravatar.cc/150?u=$

XIOC detected URL: https://i.pravatar.cc/150?u=$

extracted_from_files

Domain

detected Domain: v.info

XIOC detected Domain: v.info

extracted_from_files

Domain

detected Domain: i.constraints.map

XIOC detected Domain: i.constraints.map

extracted_from_files

Domain

detected Domain: c.map

XIOC detected Domain: c.map

extracted_from_files

Domain

detected Domain: v.play

XIOC detected Domain: v.play

extracted_from_files

Domain

detected Domain: v.plus

XIOC detected Domain: v.plus

extracted_from_files

Domain

detected Domain: oe.map

XIOC detected Domain: oe.map

extracted_from_files

Domain

detected Domain: re.map

XIOC detected Domain: re.map

extracted_from_files

Domain

detected Domain: t.name

XIOC detected Domain: t.name

extracted_from_files

detected IP: e::af

XIOC detected IP: e::af

extracted_from_files

Domain

detected Domain: readme.md

XIOC detected Domain: readme.md

extracted_from_files

Domain

detected Domain: c.name

XIOC detected Domain: c.name

extracted_from_files

Domain

detected Domain: t.style

XIOC detected Domain: t.style

extracted_from_files

Domain

detected Domain: c.fields.map

XIOC detected Domain: c.fields.map

extracted_from_files

Domain

detected Domain: se.map

XIOC detected Domain: se.map

extracted_from_files

Domain

detected Domain: gmail.com

XIOC detected Domain: gmail.com

extracted_from_files

Domain

detected Domain: theme-toggle.open

XIOC detected Domain: theme-toggle.open

extracted_from_files

Domain

detected Domain: global-rules-chevron.open

XIOC detected Domain: global-rules-chevron.open

extracted_from_files

Domain

detected Domain: me.call

XIOC detected Domain: me.call

extracted_from_files

Domain

detected Domain: k.is

XIOC detected Domain: k.is

extracted_from_files

Domain

detected Domain: c.id

XIOC detected Domain: c.id

extracted_from_files

Domain

detected Domain: s.id

XIOC detected Domain: s.id

extracted_from_files

Domain

detected Domain: g.info

XIOC detected Domain: g.info

extracted_from_files

Domain

detected Domain: qe.map

XIOC detected Domain: qe.map

extracted_from_files

Domain

detected Domain: f.name

XIOC detected Domain: f.name

extracted_from_files

Domain

detected Domain: g.plus

XIOC detected Domain: g.plus

extracted_from_files

Domain

detected Domain: y.name

XIOC detected Domain: y.name

extracted_from_files

Domain

detected Domain: g.save

XIOC detected Domain: g.save

extracted_from_files

Domain

detected Domain: g.download

XIOC detected Domain: g.download

extracted_from_files

Domain

detected Domain: v.id

XIOC detected Domain: v.id

extracted_from_files

Domain

detected Domain: w.map

XIOC detected Domain: w.map

extracted_from_files

Domain

detected Domain: y.id

XIOC detected Domain: y.id

extracted_from_files

Domain

detected Domain: k.map

XIOC detected Domain: k.map

extracted_from_files

Domain

detected Domain: y.fields.map

XIOC detected Domain: y.fields.map

extracted_from_files

Domain

detected Domain: g.help

XIOC detected Domain: g.help

extracted_from_files

Domain

detected Domain: a.name

XIOC detected Domain: a.name

extracted_from_files

Domain

detected Domain: t.data

XIOC detected Domain: t.data

extracted_from_files

Domain

detected Domain: u.call

XIOC detected Domain: u.call

extracted_from_files

Domain

detected Domain: v.name

XIOC detected Domain: v.name

extracted_from_files

Domain

detected Domain: h.download

XIOC detected Domain: h.download

extracted_from_files

Domain

detected Domain: h.click

XIOC detected Domain: h.click

extracted_from_files

Domain

detected Domain: a.target

XIOC detected Domain: a.target

extracted_from_files

Domain

detected Domain: ae.target

XIOC detected Domain: ae.target

extracted_from_files

Domain

detected Domain: fonts.googleapis.com

XIOC detected Domain: fonts.googleapis.com

extracted_from_files

Domain

detected Domain: ee.call

XIOC detected Domain: ee.call

extracted_from_files

Domain

detected Domain: ro.id

XIOC detected Domain: ro.id

extracted_from_files

Domain

detected Domain: shopify.com

XIOC detected Domain: shopify.com

extracted_from_files

Domain

detected Domain: u.name

XIOC detected Domain: u.name

extracted_from_files

Domain

detected Domain: t.map

XIOC detected Domain: t.map

extracted_from_files

Domain

detected Domain: d.is

XIOC detected Domain: d.is

extracted_from_files

Domain

detected Domain: e.call

XIOC detected Domain: e.call

extracted_from_files

Domain

detected Domain: v.click

XIOC detected Domain: v.click

extracted_from_files

Domain

detected Domain: g.payload.show

XIOC detected Domain: g.payload.show

extracted_from_files

Domain

detected Domain: ns.adobe.com

XIOC detected Domain: ns.adobe.com

extracted_from_files

Domain

detected Domain: e.pf

XIOC detected Domain: e.pf

extracted_from_files

Domain

detected Domain: h.bf

XIOC detected Domain: h.bf

extracted_from_files

Domain

detected Domain: clients2.google.com

XIOC detected Domain: clients2.google.com

extracted_from_files

Domain

detected Domain: xe.map

XIOC detected Domain: xe.map

extracted_from_files

Domain

detected Domain: m.map

XIOC detected Domain: m.map

extracted_from_files

Domain

detected Domain: e.target

XIOC detected Domain: e.target

extracted_from_files

Domain

detected Domain: g.id

XIOC detected Domain: g.id

extracted_from_files

Domain

detected Domain: f.id

XIOC detected Domain: f.id

extracted_from_files

Domain

detected Domain: v.style.top

XIOC detected Domain: v.style.top

extracted_from_files

Domain

detected Domain: f.top

XIOC detected Domain: f.top

extracted_from_files

Domain

detected Domain: t.click

XIOC detected Domain: t.click

extracted_from_files

Domain

detected Domain: flatpickr-calendar.open

XIOC detected Domain: flatpickr-calendar.open

extracted_from_files

Domain

detected Domain: a.click

XIOC detected Domain: a.click

extracted_from_files

Domain

detected Domain: i.select

XIOC detected Domain: i.select

extracted_from_files

Domain

detected Domain: t.top-i.top

XIOC detected Domain: t.top-i.top

extracted_from_files

Domain

detected Domain: x.id

XIOC detected Domain: x.id

extracted_from_files

Domain

detected Domain: q.name

XIOC detected Domain: q.name

extracted_from_files

Domain

detected Domain: s.click

XIOC detected Domain: s.click

extracted_from_files

Domain

detected Domain: r.id

XIOC detected Domain: r.id

extracted_from_files

Domain

detected Domain: u.id

XIOC detected Domain: u.id

extracted_from_files

Domain

detected Domain: m.top

XIOC detected Domain: m.top

extracted_from_files

Domain

detected Domain: s.top

XIOC detected Domain: s.top

extracted_from_files

Domain

detected Domain: r.click

XIOC detected Domain: r.click

extracted_from_files

Domain

detected Domain: i.click

XIOC detected Domain: i.click

extracted_from_files

Domain

detected Domain: date.now

XIOC detected Domain: date.now

extracted_from_files

detected IP: ::af

XIOC detected IP: ::af

extracted_from_files

detected IP: ::bef

XIOC detected IP: ::bef

extracted_from_files

Domain

detected Domain: l.call

XIOC detected Domain: l.call

extracted_from_files

Domain

detected Domain: r.call

XIOC detected Domain: r.call

extracted_from_files

Domain

detected Domain: www.w3.org

XIOC detected Domain: www.w3.org

extracted_from_files

Domain

detected Domain: paypal.com

XIOC detected Domain: paypal.com

extracted_from_files

Domain

detected Domain: i.name

XIOC detected Domain: i.name

extracted_from_files

Domain

detected Domain: i.id

XIOC detected Domain: i.id

extracted_from_files

Domain

detected Domain: e.map

XIOC detected Domain: e.map

extracted_from_files

Domain

detected Domain: r.country

XIOC detected Domain: r.country

extracted_from_files

Domain

detected Domain: linkedin.com

XIOC detected Domain: linkedin.com

extracted_from_files

Domain

detected Domain: facebook.com

XIOC detected Domain: facebook.com

extracted_from_files

Domain

detected Domain: github.com

XIOC detected Domain: github.com

extracted_from_files

Domain

detected Domain: e.click

XIOC detected Domain: e.click

extracted_from_files

Domain

detected Domain: i.open

XIOC detected Domain: i.open

extracted_from_files

Domain

detected Domain: o.id

XIOC detected Domain: o.id

extracted_from_files

Domain

detected Domain: o.name

XIOC detected Domain: o.name

extracted_from_files

Domain

detected Domain: l.name

XIOC detected Domain: l.name

extracted_from_files

Domain

detected Domain: l.id

XIOC detected Domain: l.id

extracted_from_files

Domain

detected Domain: t.host

XIOC detected Domain: t.host

extracted_from_files

Domain

detected Domain: e.name

XIOC detected Domain: e.name

extracted_from_files

Domain

detected Domain: n.id

XIOC detected Domain: n.id

extracted_from_files

Domain

detected Domain: a.id

XIOC detected Domain: a.id

extracted_from_files

Domain

detected Domain: t.id

XIOC detected Domain: t.id

extracted_from_files

Domain

detected Domain: t.tab

XIOC detected Domain: t.tab

extracted_from_files

Domain

detected Domain: i.pravatar.cc

XIOC detected Domain: i.pravatar.cc

extracted_from_files

Domain

detected Domain: o.map

XIOC detected Domain: o.map

extracted_from_files

Domain

detected Domain: banking.example.com

XIOC detected Domain: banking.example.com

extracted_from_files

Domain

detected Domain: sensitive-site.com

XIOC detected Domain: sensitive-site.com

extracted_from_files

Domain

detected Domain: example.com

XIOC detected Domain: example.com

extracted_from_files

Domain

detected Domain: sub.domain.example.com

XIOC detected Domain: sub.domain.example.com

extracted_from_files

Domain

detected Domain: b.co

XIOC detected Domain: b.co

extracted_from_files

Domain

detected Domain: example.co.jp

XIOC detected Domain: example.co.jp

extracted_from_files

Domain

detected Domain: e.id

XIOC detected Domain: e.id

extracted_from_files

Domain

detected Domain: n.name

XIOC detected Domain: n.name

extracted_from_files

Domain

detected Domain: pe.map

XIOC detected Domain: pe.map

extracted_from_files

Domain

detected Domain: fonts.gstatic.com

XIOC detected Domain: fonts.gstatic.com

extracted_from_files

Security Analysis Summary

Security Analysis Overview

FormFlow is a Chrome Web Store extension published by [email protected]. Version 0.1.0 has been analyzed by the Risky Plugins security platform, receiving a risk score of 64.9/100 (MEDIUM risk) based on 185 security findings.

Risk Assessment

This extension presents high security risk. Significant concerns were identified during analysis. It is not recommended for use in sensitive or production environments without thorough review.

Findings Breakdown

High: 8 finding(s)
Medium: 144 finding(s)
Low: 33 finding(s)

What Was Analyzed

The security assessment covers multiple analysis categories:

Malware Detection: YARA rule matching against 2,400+ malware signatures
Secret Detection: Scanning for exposed API keys, tokens, and credentials
Static Analysis: Code-level security analysis for common vulnerability patterns
Network Analysis: Detection of suspicious network communications and endpoints
Obfuscation Detection: Identification of code obfuscation techniques

Developer Information

FormFlow is published by [email protected] on the Chrome Web Store marketplace.

Recommendation

This extension is not recommended for installation without thorough manual review. Consider alternatives with lower risk scores, or contact the developer to address the identified security concerns.

Source Code Viewer

Source Code Not Available

Source code is not available for this version of the extension.

Frequently Asked Questions

Similar Extensions

Related extensions from the same publisher or marketplace

KPN Password Manager

[email protected]

CRITICAL

MAGgie - An AI Assistant

[email protected]

CRITICAL 1K users

Aintivirus Privacy and Wallet

[email protected]

CRITICAL 46 users

BugZap — Visual Bug Reporter

[email protected]

CRITICAL

FormGenieAI

[email protected]

CRITICAL

OmniChat

[email protected]

CRITICAL 58 users

Risk Assessment

Severity Breakdown

Finding Categories

YARA Rules Matched

Requested Permissions

About This Extension

Detailed Findings

OBFUSCATION-UNICODE_HEAVY-options.js-36

OBFUSCATION-UNICODE_HEAVY-options.js-1

OBFUSCATION-UNICODE_HEAVY-popup.js-67

OBFUSCATION-UNICODE_HEAVY-popup.js-46

OBFUSCATION-UNICODE_HEAVY-options.js-15

OBFUSCATION-UNICODE_HEAVY-background.js-15

OBFUSCATION-UNICODE_HEAVY-popup.js-32

OBFUSCATION-UNICODE_HEAVY-background.js-36

NET-SOCKET_IO-popup.js-74

YARA Rule Matches

LocalStorageShouldNotBeUsed

postinstall file manipulation

postinstall network communication

postinstall file download

postinstall system command

NoUseWeakRandom

postinstall crypto operations

postinstall obfuscation

SQLInjection

postinstall persistence mechanism

Indicators of Compromise

All Indicators · 133

Security Analysis Summary

Security Analysis Overview

Risk Assessment

Findings Breakdown

What Was Analyzed

Developer Information

Recommendation

Frequently Asked Questions

Similar Extensions

KPN Password Manager

MAGgie - An AI Assistant

Aintivirus Privacy and Wallet

BugZap — Visual Bug Reporter

FormGenieAI

OmniChat