Skip to content
Kunkun

Extension Security

Extension is a powerful feature that allows users to extend the functionality however they want.

However, great functionality may require access to file system and system APIs, which can be dangerous if not properly secured.

Since community maintained extensions can be installed to Kunkun, there is no guarantee that the extension is safe, just like other extension systems like Chrome extensions, VSCode Extensions, Raycast Extensions, etc. We can only try to maintain a safety design to minimize the risk.

All community extensions are open sourced on GitHub, and published to NPM or JSR with provenance statements. See Design for more details.

Provenance statements are not a guarantee of security, but it’s a good start. With provenance statements, we can at least know the origin of the extension and the build process.

Permission Management System

Similar apps like Raycast gives extensions full access to the file system and system APIs. This gives extensions a lot of power to do anything they want, but also makes it dangerous.

Although their extensions are all open sourced for review, there is still a risk that the extension can do something malicious.

KK also takes advantages of system APIs to provide powerful features, but it also has a multi-level permission management system to control what an extension can do.

KK is designed to take a similar approach to Chrome extensions and Tauri, where the required permission for an app must be declared in the manifest file.

The extension store will show the required permissions for each extension, and the user can decide whether to install it or not.

If an extension accessed APIs they didn’t declare in the manifest file, the behaviour will be logged, and the user will be notified.

For example, if a timer extension is expected to request notification permission, but not clipboard permission.

KK splits exposed APIs into different permission groups. e.g. clipboard APIs have clipboard:read-text, clipboard:read-all, clipboard:write-image and more. Extensions should only request the minimum required permissions.

File system APIs will also have different access scopes. e.g.

  1. Access to Desktop, Documents, Downloads
  2. Access to all files in the user’s home directory
  3. Access to all files in the system

Fore more details about permission declaration, see Extension Permissions and the documentation of each API.

Application Lifecycle Threats

Buildtime Threats

Buildtime threats are the threats that happen when the extension is being built. e.g.

All extensions are open sourced with provenance statements. One can easily find the exact repo, commit and GitHub Action workflow that built the extension.

However, it is possible that some extensions includes malicious code that can be triggered during build time.