I've developed a few Chrome extensions myself - it needs that to work. The only way to make it work is to injecting a script into your current webpage, which changes the appearance. Unfortunately there is no way to also disable the network connections of that script so it could hypothetically contact another website and leak your data - note it cannot leak cookies if they are HTTP only, but this depends on your sensitive website's web developer being competent.
You must also trust the dependencies of the application as well - refreshingly there is only one called malevic [0], which itself has no dependencies.
My impression is that the author of this extension is genuinely just trying to make something good for the benefit of the community but it's not as though Chrome extensions haven't been purchased before. Also we must trust that the published extension is the same as the extension in the Github repository, I don't know of a way to verify this.
The only way to probably be safe is to audit the source code yourself and install it in development mode. Or just use a different profile for truly sensitive stuff vs just casual browsing.
You must also trust the dependencies of the application as well - refreshingly there is only one called malevic [0], which itself has no dependencies.
My impression is that the author of this extension is genuinely just trying to make something good for the benefit of the community but it's not as though Chrome extensions haven't been purchased before. Also we must trust that the published extension is the same as the extension in the Github repository, I don't know of a way to verify this.
The only way to probably be safe is to audit the source code yourself and install it in development mode. Or just use a different profile for truly sensitive stuff vs just casual browsing.
[0] https://github.com/alexanderby/malevic