For those interested in understanding the security of Chrome extensions, duo introduced CRXcavator (https://crxcavator.io/) a while back, which does some risk scoring around permissions. It is chrome-only, and it doesn't protect against this type of attack specifically, although you can look at the Potential External Communication section for possible issues.