OP (or whoever authored the app), open your manifest.json file, go to line 20, and edit the permissions line to remove the all-domain permissions. Here are your current permissions:
I'm not going to read through all of your js to figure out what other domains you really need. Kudos on the idea -- I like it. Just not ideal to ship an app to this audience with the unnecessary security nail-biter during install. Fix and push and you should be good to go.
While I agree with your point, the extension will need permissions for all the sites it's contacting besides Hacker News (Twitter, LinkedIn, etc). I'm guessing Gwendall figured he might as well put a lax permission while developing to make it easy on him. It'd still be a good time to clean this up.
The reason it needs all permissions is that some people have their own pages and the data is on there. So you might need permission to crawl those secondary pages for twitter and github (?)
At least I think that's how it works. I could be wrong.
EDIT: Format