Validors
← All audits

Auditing Dark Reader: the cost of a name that's also your top keyword

76.7/100Dark Reader on the Chrome Web StoreMake Chrome Yours > Accessibility

Dark Reader has been around since 2014, has 6 million users, and a 4.66 average rating - one of the more universally recommended accessibility extensions on the store. We audited its live listing to see how a decade-old, actively maintained extension holds up against the same rubric every Validors user gets.

What scored well

  • Manifest V3, cleanly migrated.
  • Permission count is reasonable outside of the one broad-host flag below - five permissions total, nothing excessive.
  • Visual assets: five screenshots, a small promo tile, a legible icon, and a first screenshot that immediately shows the dark-mode effect in action.
  • Social proof: a 4.66 rating average and the Featured badge.

What's actually holding it back

Broad host permissions (confirmed_policy, high severity). The manifest requests *://*/*. For an extension whose entire feature is "apply dark mode to any website you visit," this is arguably the most defensible case for broad permissions we've seen in this audit series - the feature genuinely requires site-wide access. Chrome's review process still flags it the same way it would for an unrelated extension, which is exactly the distinction Validors tries to preserve: confirmed policy means Chrome's rule applies, not that the finding proves bad intent.

Keyword repetition (confirmed_policy, medium severity). "Dark" appears more than five times in the description - again, largely because it's core to the product's name and function, not padding.

Listing content is stale (best_practice_unproven, low severity). The store listing text hasn't changed in years, despite the extension itself being on version 4.9.128 with an active changelog. This is the recurring pattern across every long-running, well-regarded extension we've audited so far: the code stays current, the listing copy doesn't.

The takeaway

A 76.7/100 for an extension this established says something useful: raw trust signals (rating, install count, longevity) don't automatically clear Chrome's policy-level checks. The two confirmed_policy findings here are genuinely low-risk given what the extension does - but "low-risk" and "not flagged" aren't the same thing, and that gap is the whole reason Validors labels confidence instead of just handing back a checklist.

Want this for your own extension?

Run a free audit