Won't the damage be done by the time you detect it? Extensions auto-update by default and there are only hacky ways to prevent this. This has always bothered me since just because I trust an extension now, doesn't mean I'll trust the next update that gets automatically applied.
At least I think it's pretty rare for a sold extension to be turn malicious in a way that it could do permanent damage, such as stealing your passwords. It's usually more along the lines of excessively invasive tracking or injecting their own ads; while I absolutely wouldn't want that normally, I probably wouldn't lose sleep over it if I learned that it had happened for 24 hours before I uninstalled the extension. That being said I would definitely like a better solution to this problem.
