Comment by bennydog224
2 days ago
Google needs to act on removing these extensions/doing more thorough code reviews. Reputability is everything, and they can be actually valuable (e.g. LastPass, my own extension Ward)
There has to be a better system. Maybe a public extension safety directory?
I don't understand how code review would catch this. The extension advertises itself as an AI protection tool, that monitors your AI interactions. The code is basically consistent with the stated purpose. That it doesn't stop collecting data when you turn of the UI alerting is perhaps an inconsistency, but I think that's debatable (is there a rule in google's terms that says data collection is contingent on UI alerts being enabled?). I'm curious what workflow or decision tree you'd expect a code review process to follow here that results in this being rejected? The problem here doesn't seem like code related, it's policy related, as in, what are they doing with the information, not that the extension has code to collect it.
I’m not sure there’s much more juice to squeeze here via automated or semi-automated means. They could perhaps be doing these kind of human-in-the-loop reviews themselves for all extensions that hit a certain install count, but that’s not a popular technique at Google.
Chrome extension codebases are fairly basic, I think there's room to build an agentic code scanner for these, but the juice probably isn't worth the squeeze to justify for them $$$-wise. Manual reviews I agree are expensive and dicey.
Google is doing code review on extensions?
I’m not sure, but whenever I cut a new release I upload my extension code and it goes through a review period before they publish.
Do you think Google wants to have the extensions system, given that this is how people block ads?
adblockers on chromium-based browsers were severely crippled by manifest V3. they're fine with extenisons (and apparently malware) as long as users can't effectively block their tracking/ads.
Adblockers are still working fine though? I’m on chrome with ublock and I’m not seeing any ads.
3 replies →
I wouldn’t be surprised if it goes away - it’s very “old Google”. We’re moving more towards walled gardens.
Is this even a problem that code review could find? Once they have your conversation data what happens then isn't part of the plug-in.
You're not wrong, but one thing about scammy developers is they tend to be ballsy and not covert. The Koi blog covers all the egregious code specifically for exfilling LLM conversations. This stuff is a walking red flag if it was in a public commit/PR.