Validors
← All audits

Auditing Grammarly: 36M users, 9 permissions, one unresolved trust flag

Grammarly is one of the largest extensions on the Chrome Web Store: 36 million users, a 4.5 average rating, and a listing dense with press quotes and feature breakdowns. We ran it through the same rubric every Validors audit uses, no manual adjustment for its size.

What scored well

  • Manifest V3, migrated.
  • Visual assets: five screenshots, a small promo tile, a highly legible icon (the "G" speech-bubble mark holds up even scaled down), and consistent visual style throughout.
  • Social proof: 4.5 average rating, Featured badge present.
  • Copy quality: description length and structure are within normal range despite being one of the longer listings we've audited.

What's actually holding it back

Broad host permissions (confirmed_policy, high severity). Grammarly requests http://*/* and https://*/*, needed because it offers suggestions across "500,000+ sites" per its own listing copy. That's a real product requirement, not obvious overreach - but it's still the single highest-severity, confirmed-policy finding on the report, exactly as it was for Honey and Dark Reader. Three for three so far in this audit series: broad permissions are the most common confirmed_policy flag we've seen, independent of extension size or reputation.

9 permissions requested (best_practice_unproven, medium severity). Beyond the host permission, Grammarly's manifest lists scripting, sidePanel, tabs, notifications, cookies, identity, and storage. Each is plausibly justified by a real feature (side panel UI, sign-in via identity, cross-tab state), but Validors flags the count itself as worth a second look rather than assuming every permission is load-bearing.

Keyword repetition (confirmed_policy, medium severity). Six different terms repeat 5+ times in the description - not just "grammarly," but incidental repeats of "www," "com," and "privacy" from the multiple linked URLs in the listing footer. This is a good example of a technically-correct flag that's mostly an artifact of how the description is formatted (several plain-text links), not keyword stuffing in the spammy sense.

Listing content is stale (best_practice_unproven, low severity). Last touched over 13 years ago by this metric, despite the listing itself referencing "Superhuman Go," a current opt-in beta feature - meaning the content was clearly updated recently even though whatever timestamp this check reads wasn't. This is the clearest case in the series of why this specific check is labeled unproven rather than confirmed: the underlying signal can just be wrong.

The takeaway

Three large, reputable extensions audited in this series - Honey, Dark Reader, Grammarly - and all three land in the 71-77 band, all three trip the same broad-host-permission flag, and all three show a listing-freshness signal that's plausibly stale data rather than an actual maintenance problem. That consistency is the point: Validors' rubric doesn't grade on reputation, and a large extension with millions of users isn't automatically clear of the same checks a brand-new listing gets.

Want this for your own extension?

Run a free audit