It seems crazy to me that the offered way to install an extension on Chrome is to click a button on a privileged website, and then the installed extension autoupdates without an option to turn it off.

I hate the idea of installing stuff without an ability to look at what's inside first, so what I did was patch Chromium binary, replacing all strings "chromewebstore.google.com" with something else, so I can inject custom JS into that website and turn "Install" button into "Download CRX" button. After downloading, I can unpack the .crx file and look at the code, then install via "Load unpacked" and it never updates automatically. This way I'm sure only the code I've looked at gets executed.