Extension Details
Context-Aware Verdict
The extension has very limited trust indicators with only 1,000 users and just 2 ratings, making it difficult to assess community validation. The perfect 5.0 rating from such a small sample size is not statistically meaningful. The developer domain "monkeymarket.click" appears to be a generic marketplace rather than an established game developer, which raises questions about the extension's legitimacy and long-term support.
The primary security concern is the Content Security Policy that explicitly allows 'unsafe-eval' in sandbox contexts, enabling dynamic JavaScript execution through eval() and similar dangerous functions. This creates a significant attack vector where malicious code could potentially be executed. For a simple unblocked game extension, this level of JavaScript evaluation capability seems excessive and unnecessary. The combination of low user adoption, minimal developer information, and permissive security policies creates multiple risk factors.
Consider running this extension in a separate Chrome profile to isolate potential security risks from your main browsing environment. Before installation, verify the game actually works as advertised and monitor for any suspicious network activity. Given the security findings and limited trust factors, you might want to look for alternative game extensions from more established developers with better security practices and larger user bases.
Findings
Security Analysis Details
Content Security Policy:
- extension_pages: script-src 'self' ; object-src 'self'; child-src 'self'; worker-src 'self'
- sandbox: sandbox allow-scripts; script-src 'self' 'unsafe-eval' blob: 'unsafe-inline'; object-src 'self' 'unsafe-eval' blob: 'unsafe-inline';child-src 'self' 'unsafe-eval' blob: 'unsafe-inline' ; worker-src 'self' 'unsafe-eval' blob: 'unsafe-inline'; script-src-elem 'self' 'unsafe-eval' blob: 'unsafe-inline'
Embedded URLs (12 total):
| https://chrome.google.com/webstore/detail/ | https://monkeymarket.click/NewGames.html | |
| https://clients2.google.com/service/update2/crx | https://monkeymarket.click | |
| https://watermelongames.click/How-to-Fix-WebGL-Not-Supported | https://www.construct.net/en | |
| https://play.google.com/store/apps/details?id=com.google.android.webview | https://bugs.webkit.org/show_bug.cgi?id=191064 | |
| https://www.google.com/chrome | https://www.mozilla.org/firefox | |
| https://www.construct.net | http://en.wikipedia.org/wiki/HSL_and_HSV#Converting_to_RGB |
Raw Manifest
{ "name": "__MSG_AppName__", "icons": { "256": "icons/128.png" }, "action": { "default_icon": { "256": "icons/128.png" } }, "sandbox": { "pages": [ "game/index.html" ] }, "version": "1.3.3", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_AppDesc__", "default_locale": "en", "offline_enabled": true, "manifest_version": 3, "content_security_policy": { "sandbox": "sandbox allow-scripts; script-src 'self' 'unsafe-eval' blob: 'unsafe-inline'; object-src 'self' 'unsafe-eval' blob: 'unsafe-inline';child-src 'self' 'unsafe-eval' blob: 'unsafe-inline' ; worker-src 'self' 'unsafe-eval' blob: 'unsafe-inline'; script-src-elem 'self' 'unsafe-eval' blob: 'unsafe-inline'", "extension_pages": "script-src 'self' ; object-src 'self'; child-src 'self'; worker-src 'self'" } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.