From the Duo Security Web Site:
To provide users and IT teams with actionable intelligence about Chrome extensions, Duo Labs is excited to announce the public beta of CRXcavator (rhymes with “excavator”), a free service that analyzes Chrome extensions and produces comprehensive security reports.
The Chrome extension permission model asks the user to approve permissions, and people will often grant permissions to extensions without much consideration.
Even if a security team has approved an extension, its functionality can change over time, often without notice. One scenario where this applies is if a malicious third party were to gain control of the extension, perhaps by buying it from the developer or compromising the developer’s account. The third party could add malicious code and push the new version out to existing users without triggering another security review. Manually reviewing every update to extensions allowed in an organization’s domain is not feasible for most security teams.
Direct to CRXcavator
Hat Tip: Dark Reading