Extension Details
Context-Aware Verdict
The extension has a solid user base of 40,000 users and maintains a high rating of 4.8 stars from 114 reviews, suggesting positive user experiences. The developer bold.org appears to be associated with a legitimate organization focused on educational scholarships and rewards. However, the lack of detailed developer information and missing last updated date raise some transparency concerns.
The extension's permission set is extremely broad and powerful for a rewards program. The combination of webRequest, cookies, tabs, and universal host permissions creates a surveillance-capable tool that can monitor, intercept, and modify all web traffic across every website. The scripting permission allows code injection into web pages, while content scripts are specifically targeting major e-commerce sites (Amazon, Walmart) and AI platforms (ChatGPT, Claude, Perplexity). This suggests the extension may be collecting detailed browsing and shopping data far beyond what's necessary for a typical rewards program.
Given the critical risk level, consider running this extension in a completely separate Chrome profile isolated from sensitive browsing activities. Before installation, carefully review the privacy policy to understand what data is collected and how it's used. Monitor your browsing behavior and network traffic after installation. Consider whether the rewards offered justify the extensive data access permissions. Alternative reward programs with more limited permissions may provide similar benefits with reduced privacy risks.
Findings
Security Analysis Details
Required Permissions:
- storage
- tabs
- background
- webRequest
- cookies
- unlimitedStorage
- scripting
- notifications
Host Permissions:
- http://*/*
- https://*/*
Embedded URLs (129 total):
| https://www.partner.com/terms-of-service | https://www.partner.com/privacy-policy | |
| https://npms.io/search?q=ponyfill. | http://momentjs.com/guides/#/warnings/define-locale/ | |
| http://momentjs.com/guides/#/warnings/js-date/ | http://momentjs.com/guides/#/warnings/min-max/ | |
| http://momentjs.com/guides/#/warnings/add-inverted-param/ | http://momentjs.com/guides/#/warnings/zone/ | |
| http://momentjs.com/guides/#/warnings/dst-shifted/ | https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage | |
| https://reactjs.org/docs/error-decoder.html?invariant= | https://www.wildlink.me/webservice | |
| https://www.wildlink.me/data | https://wild.link | |
| https://www.walmart.com/ | https://www.walgreens.com/ | |
| https://analytics.tiktok.com/ | https://seasalt.pmp.crealytics.com/ | |
| https://us-central1-adaptive-growth.cloudfunctions.net/ | https://jssdks.mparticle.com/ | |
| https://ae.mmstat.com/ | https://api.segment.io/v1/ | |
| https://matching.granify.com/ | https://www.petco.com/api/ | |
| https://events.release.narrativ.com/ | https://pay.ebay.com/ | |
| https://www.justafakeurltotest.com/ | https://wildlink.me | |
| https://github.com/uuidjs/uuid#getrandomvalues-not-supported | https://www.walmart.com | |
| https://www.officedepot.com | https://www.staples.com | |
| https://www.jcpenney.com | https://www.macys.com | |
| https://www.kohls.com | https://www.overstock.com | |
| https://www.chewy.com | https://secure-oldnavy.gap.com | |
| https://secure-www.gap.com | https://www.nordstrom.com | |
| https://www.petco.com | https://www.sephora.com | |
| https://pay.ebay.com | https://www.walgreens.com | |
| https://www.aliexpress.com | http://www.example.com | |
| https://0.0.0.0:0/keepalive | https://us.i.posthog.com | |
| https://us-assets.i.posthog.com | https://eu.i.posthog.com | |
| https://eu-assets.i.posthog.com | https://posthog.com/docs/feature-flags/best-practices | |
| https://posthog.com/docs/billing/limits-alerts | https://dev.wild.link | |
| https://shop.app/checkout/ | https://shop.app/pay/ | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xhtml | https://shop.app | |
| https://www.kohls.com/cnc/applyCoupons | https://www.kohls.com/checkout/shopping_cart.jsp | |
| https://www.landsend.com/co/checkout/applyPromotion | https://www.landsend.com/shopping-bag | |
| https://www.belk.com/shopping-bag | https://www.belk.com/add-coupon/?couponCode= | |
| https://www.saksfifthavenue.com/cart-coupon-add | https://www.saksfifthavenue.com/cart | |
| https://www.saksfifthavenue.com/checkout/start | https://www.cvs.com/RETAGPV3/RxExpress/V2/applyCoupon | |
| https://www.cvs.com/rx/dotm/cart?flowType=FS | https://order-api.jcpenney.com/order-api/v1/accounts | |
| https://www.jcpenney.com/cart | https://www.dell.com/purchase/api/cart-bridge-context/v1/coupons/ | |
| https://www.dell.com/purchase/cart/en-us | https://www.dell.com/cart/en-us/outlet | |
| https://www.dell.com/purchase/cart/en-us/outlet | https://www.amazon.com/ | |
| https://www.amazon.com/gp/subs/primeclub/account/homepage.html?ref_=nav_AccountFlyout_prime | https://www.amazon.com/gp/primecentral |
Raw Manifest
{ "name": "__MSG_Meta_appName__", "icons": { "128": "img/icon-128.png" }, "action": { "default_icon": "img/icon-disabled-128.png" }, "version": "1.14.0", "background": { "service_worker": "worker.js" }, "short_name": "__MSG_Meta_shortAppName__", "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_Meta_appDescription__", "permissions": [ "storage", "tabs", "background", "webRequest", "cookies", "unlimitedStorage", "scripting", "notifications" ], "default_locale": "en", "content_scripts": [ { "js": [ "browser-polyfill.min.js", "content.js" ], "run_at": "document_start", "matches": [ "http://*/*", "https://*/*" ] }, { "js": [ "amazonConquest.js" ], "run_at": "document_start", "matches": [ "http://www.walmart.com/*", "https://www.walmart.com/*" ] }, { "js": [ "asinTrack.js" ], "run_at": "document_start", "matches": [ "https://www.amazon.com/*" ] }, { "js": [ "browser-polyfill.min.js", "checkout.js" ], "run_at": "document_start", "matches": [ "http://*/*", "https://*/*" ], "all_frames": true }, { "js": [ "chatgpt.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "*://chatgpt.com/*", "*://chat.openai.com/*" ] }, { "js": [ "perplexity.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "*://*.perplexity.ai/*" ] }, { "js": [ "claude.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "*://claude.ai/*" ] }, { "js": [ "copilot.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "*://copilot.microsoft.com/*" ] }, { "js": [ "gemini.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "*://www.google.com/search?*" ] } ], "host_permissions": [ "http://*/*", "https://*/*" ], "manifest_version": 3, "externally_connectable": { "matches": [ "*://*.wild.link/*" ] }, "web_accessible_resources": [ { "matches": [ "http://*/*", "https://*/*" ], "resources": [ "img/*", "source/fonts/*" ] }, { "matches": [ "<all_urls>" ], "resources": [ "auth.html", "googleAppleOauth.html", "shoppay.js" ] } ], "browser_specific_settings": { "edge": { "browser_action": { "default_title": "__MSG_Meta_appName__" } } } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.