I mean, unsurprisingly, it looks like it requests permissions to execute arbitrary code on your behalf on netflix.com. So yeah, it can do... a lot. It could, for example, click the logout button on your behalf, wait for you to log back in again and keylog your password when you do (there aren't any special protections there -- you can access it like any other field from privileged JS, and other extensions like password managers depend on this being the case), then use that to, in the background, change your password and recovery email, and then log you back out again. Any use of Chrome extensions that can execute scripts requires some degree of trust, for better or for worse.

I believe when an extension requires matches permission for say ://netflix.com/, it asks for permission to load the content script to the browser tab that has that URL opened. Which means that even if the extension involves the slightest bit of modification on the UI, it still requires the same permission as one that involves the user's sensitive information. It seems this page suggests that the extension could also read usernames and password: https://support.mozilla.org/en-US/kb/permission-request-mess...

For what it's worth, we can confidently say that our extension does UI modifications without ever being involved with user sensitive info. Regardless, will definitely open source the extension. Hopefully this will win some user's trust. Stay tuned!

I am curious too. I wonder what are the limits of an extension.