Odaily News SlowMist Yuxian posted on the X platform: "If an extension wants to do evil, such as stealing the cookies of the target page, privacy in localStorage (such as account permission information, private key information), DOM tampering, request hijacking, clipboard content acquisition, etc., just configure the relevant permissions in manifest.json. If the user does not pay attention to the permission application of the extension, it will be troublesome. But if an extension wants to do evil and wants to directly attack other extensions, such as well-known wallet extensions, it is still not easy... because the sandbox is isolated... For example, it is unlikely to directly steal the private key/mnemonic information stored in the wallet extension. If you are worried about the permission risk of an extension, it is actually very easy to judge this risk. After installing the extension, you can not use it first, look at the extension ID, search the local path of the computer, find the manifest.json file in the root directory of the extension, and throw the file content directly to AI for permission risk interpretation. If you have an isolation mindset, you can consider enabling Chrome Profile for unfamiliar extensions separately, at least the evil can be controlled, and most extensions do not need to be turned on all the time."