[runlevel1]

All Chrome extensions require trust. That should factor into your decision to install any of them.

This is no more risky than any other extension whose permissions include `https://mail.google.com/`. Anecdotally, that probably includes most extensions seeing as how most of the ones I come across request `<all_urls>` whether or not they need it (not that that's okay).

In any case it's open source, so you can download it, audit the code, and install it locally to prevent auto-updating.

[throwanem]

Or use an email client that runs outside your browser, and reduce your threat surface considerably - yes, you still have to worry about other things you do in the browser, but compromising your email compromises all those too via password resets, which isn't the case for anything else if your password discipline is good.

Yes, Gmail makes it harder than it should be to use the email client of your choice. But that's not a problem with email clients. That's a problem with Gmail. It's far from the only one.