Validors
← All audits

Auditing ChessSolve: narrow permissions done right, undercut by its own vocabulary

84.2/100ChessSolve on the Chrome Web StoreLifestyle > Games

Every extension in this series so far has been an established, high-install incumbent. ChessSolve is the opposite: 153 users, 8 ratings, published under the developer name "chesssolve.com" rather than a company - the kind of listing that's easy to assume is too early to bother auditing. It scores 84.2/100, and where it loses points, the story looks nothing like the bigger listings we've covered.

What scored well

  • Manifest V3, cleanly on the current platform.
  • Permission scoping. This is the standout. Instead of a blanket *://*/* grant, the manifest requests activeTab, storage, and host access scoped to exactly three domains: *://*.chess.com/*, *://*.lichess.org/*, and https://chesssolve.com/* - the two sites the extension overlays analysis on, plus its own backend. Every extension we've audited so far that needed broad site access requested it with *://*/*; this is the first one that needed narrow, cross-site access and actually scoped it narrowly instead of reaching for the wildcard.
  • Visual assets. Five screenshots, a small promo tile, and an icon that the rubric's AI-assisted checks flagged as legible even at small sizes, plus a first screenshot that immediately shows the live evaluation overlay in action.
  • Freshness. Listing content was last touched 96 days ago - recent enough not to read as neglected.

What's actually holding it back

Keyword repetition (confirmed_policy, medium severity). Six terms - "move," "chesssolve," "analysis," "com," "evaluation," "game" - repeat five or more times in the description. Chrome's policy treats 5+ repetitions as triggering increased scrutiny regardless of intent, and as with the other own-name/own-function cases we've seen in this series, most of these words are core product vocabulary rather than padding. That context doesn't change how Chrome's automated review counts them.

No badges (correlated_unofficial, low severity). No Featured or Established Publisher badge - expected at this stage, and Validors labels this finding with lower confidence on purpose: badge presence is correlated with trust in review studies, not a documented ranking input Chrome discloses.

Worth reading honestly, not flagged as a finding: the 5.0 rating average comes from 8 ratings. That's a real number, not fabricated, but a sample that small means one review swings the average significantly - a fundamentally different signal from a rating built on thousands of reviews. Small isn't bad; it's just not comparable yet, and we'd rather say that plainly than let a "5.0" read the same as Dark Reader's 4.66 across a much larger base.

The takeaway

An 84.2 with exactly one confirmed_policy finding - and that finding traces back to the extension's own name and function, the same pattern we've seen on every established extension in this series. What's different here is the permission story: this is the first listing we've audited where broad cross-site access was arguably justified by the feature (overlaying analysis across two different chess platforms) and the developer scoped it narrowly anyway instead of defaulting to <all_urls>. At 153 users, the listing is early - which is exactly when fixing a five-minute keyword issue is cheapest.

Want this for your own extension?

Run a free audit