ReAPI Extension

The bundled manifest declares webRequest, declarativeNetRequestFeedback, storage, and tabs — none of which appear in the CWS-published manifest (which lists only cookies and declarativeNetRequest). webRequest in particular grants real-time interception of all browser traffic, far exceeding what the CORS-helper purpose requires. The mismatch between what Google shows users in the store listing and what is actually installed is itself a high-severity red flag under the schema's manifest-mismatch rule.

{  "permissions": [    "webRequest",    "declarativeNetRequest",    "declarativeNetRequestFeedback",    "storage",    "tabs"  ],  "declarative_net_request": {    "rule_resources": []  }}

A static rule file exists that would inject a non-standard synthetic header A6666: 69699696 into every XHR/WebTransport response with no domain condition. While the manifest's rule_resources array is empty so this file is not currently loaded, its presence alongside an undisclosed webRequest permission and a publisher with a 100% malware rate for other extensions is anomalous. The header value has no apparent legitimate purpose and could serve as an extension fingerprint readable by any page script.

[  {    "id": 1,    "priority": 1,    "action": {      "type": "modifyHeaders",      "responseHeaders": [        {          "header": "Access-Control-Allow-Origin",          "operation": "set",          "value": "*"        },        {          "header": "A6666",          "operation": "set",          "value": "69699696"        }      ]    },    "condition": {      "resourceTypes": [        "xmlhttprequest",        "webtransport",        "other"      ]    }  }]