> you can clone it on your local machine, read through our code to verify that it is not malicious, and then install it
I like that the authors share my concern about installing an extension that would by design record every page I visit. However the repository contains several minified Javascript files [1]. This somewhat contradicts their invitation to read through the code.
Switch to Firefox and only use fully reviewed/approved addons if you're serious about this. I just put a ported chrome extension through the full Firefox add on review process (thanks to web extensions they're easy to port now), and those guys rejected my extension twice because they couldn't replicate my minified code from my dependencies to the exact byte.
Chrome web store doesn't care what I upload and push down to my users. I've had numerous requests from spammers looking to buy my extension based on the number of users and their geography. I guess once they buy an extension they push malware down to the users, so even if you can trust the extension developer or source now, you can't keep that trust up indefinitely.
It serves no purpose, reviewing third-party code that you don't even know is the same that is distributed. But anyways, since Chrome has autoupdate for addons, it doesn't matter if you're reviewing the addons you install or not, because it can change at any point.
Don't chrome extensions automatically update themselves? Assuming no permissions are changed I think they do. It would be nice if there was some sort of version pinning.
After some investigating, this extension doesn't have an update_url in the manifest.json, so I think that means it won't/can't auto-update.
I like that the authors share my concern about installing an extension that would by design record every page I visit. However the repository contains several minified Javascript files [1]. This somewhat contradicts their invitation to read through the code.
[1] https://github.com/lengstrom/falcon/tree/master/extension/js...