~/wellseasoned.dev

Be Wary of Code

· 2 min read

I needed an Obsidian plugin for marking up content and adding comments to documents. Checked the community plugins and found two interesting candidates:

The first was HiNote (215 stars on GitHub and 33k downloads on Obsidian) and the second was Sidebar Highlights (120 stars on GitHub and 20k downloads on Obsidian).

Normally the choice would have been the default; more social vetting, more eyes on the code, more bug reports, more trust. But times are a changing, and code being essentially free to write means that we can’t depend on cost to create as a gating factor. The primary one had features that triggered my spidey sense: AI integration, seemed to be heading towards a paid tier, and a banner declaring that it was written with AI (Not that it’s a bad thing in and of itself).

This is a personal knowledge-base that contains a remarkable amount of personal notes and data so I am cautious about what I install. So before installing either, I had Claude Code analyze both for potential security issues.

  • HiNote: phone home to a license server, obsidian vault fingerprinting, third-party AI service calls, and potential for script-based attacks; I am sure all of these are well intentioned but they provide plenty of surface area for exploits or data exfiltration.

  • Sidebar Highlights: no network activity, no dangerous functions, minimal and sane dependencies.

I picked the less popular one.

AI makes creating software easier than ever, but the good news is that it is easier than ever to scrutinize code before you use it. And if you are using coding tools be sure to run periodic security and architecture reviews.

So what should you do?

Audit before you install. Use AI to audit code before installing it. Have it analyze the codebase for security risks, exploits, malware and data exfiltration.

Prefer minimal, transparent tools. Smaller codebases are easier to audit and have less surface area for exploits. No network activity is better than “justified” network activity.

Reframe “convenient” as “risky.” Installing a plugin takes 30 seconds. Vetting it takes 10 minutes. Recovering from a security compromise takes days or weeks. Convenience debt compounds like technical debt — the longer you defer scrutiny, the more risk accumulates.