Skip to content

Plugin Trust Levels

TonieToolbox uses a three-tier trust system to help you make informed decisions about plugin safety and reliability.

Trust Levels

🏆 Official

What it means: Developed and maintained by the TonieToolbox core team.

Security: - Thoroughly reviewed and tested - Automatically approved for installation - No security warnings - Full compatibility guarantee

Examples: Plugin Manager GUI, built-in themes

✅ Verified

What it means: Community-developed plugins that have been reviewed and approved by TonieToolbox maintainers.

Security: - Code reviewed by maintainers - Security vetted - Author has proven track record - Info message on first installation

How plugins get verified: 1. Author submits plugin to marketplace 2. Maintainers review code for security issues 3. Plugin functionality is tested 4. Author is added to verified list 5. All future plugins from this author are automatically verified

👥 Community

What it means: Community-contributed plugins that haven't been verified yet.

Security: - Not reviewed by maintainers - May access your files and network - Could contain security vulnerabilities - Install at your own risk

Security Warning: Community plugins require explicit user confirmation before installation. You'll see a warning dialog explaining the risks.

Best Practices: - Only install from authors you trust - Check the plugin's source code repository if available - Read reviews and ratings from other users - Start with official or verified plugins when possible

Visual Indicators

In the Plugin Manager GUI, you'll see trust badges next to each plugin:

  • 🏆 Official - Gold badge with special background
  • ✅ Verified - Green badge with checkmark
  • 👥 Community - Gray badge with people icon

The installation confirmation dialog also displays the trust level, making it easy to see the security status before installing.

Configuration

Allow Unverified Plugins

By default, TonieToolbox allows installation of community plugins after showing a security warning. You can disable this in settings if you want to restrict installations to verified plugins only:

[plugins]
allow_unverified = false

Verified Authors List

Maintainers manage the verified authors list. If you're a plugin developer and want to become verified:

  1. Submit your plugin to the TonieToolbox plugin repository
  2. Contact the maintainers via GitHub issues
  3. Pass the code review process
  4. Get added to the verified authors list

For Plugin Developers

How to Get Verified

  1. Build a Track Record:
  2. Create high-quality, well-documented plugins
  3. Respond to user issues promptly
  4. Follow TonieToolbox coding standards

  5. Maintain your plugins actively

  6. Submit for Review:

  7. Open an issue in the TonieToolbox repository
  8. Provide links to your plugin repositories
  9. Explain your plugin's purpose and security measures

  10. Be prepared for code review feedback

  11. Verification Process:

  12. Maintainers review your code for security issues
  13. Test your plugin functionality
  14. Check for malicious code or vulnerabilities

  15. Verify your identity and contact information

  16. Maintenance Requirements:

  17. Keep plugins updated
  18. Respond to security reports promptly
  19. Follow responsible disclosure practices
  20. Maintain code quality standards

Losing Verification

Verified status can be revoked if: - Security vulnerabilities are not fixed promptly - Malicious behavior is detected - Plugins are abandoned without notice - Code quality degrades significantly

Security Considerations

What Plugins Can Do

Plugins run with the same permissions as TonieToolbox, which means they can: - Read and write files on your system - Make network requests - Execute arbitrary code - Access TonieToolbox's internal data - Modify application behavior

Protecting Yourself

  1. Review Before Installing:
  2. Check the trust level badge
  3. Read the plugin description
  4. Look for a source code repository

  5. Check for user reviews/ratings

  6. Monitor Behavior:

  7. Watch what files the plugin accesses
  8. Check network activity if concerned

  9. Report suspicious behavior to maintainers

  10. Keep Updated:

  11. Update plugins regularly
  12. Enable plugin update notifications

  13. Review changelogs before updating

  14. Use Verified Plugins:

  15. Start with official plugins
  16. Prefer verified over community
  17. Build trust gradually

Reporting Security Issues

If you discover a security issue in any plugin:

  1. Do NOT publicly disclose the vulnerability
  2. Contact the TonieToolbox maintainers privately via GitHub Security Advisories
  3. Provide details about the vulnerability
  4. Allow time for the issue to be fixed before public disclosure

Responsible disclosure helps keep the community safe!

FAQ

Q: Can I trust verified plugins completely? A: Verified plugins have been reviewed, but no system is perfect. Always exercise caution and report suspicious behavior.

Q: How often are plugins re-reviewed? A: Major updates are reviewed. Continuous monitoring helps catch issues between reviews.

Q: Can I become a verified author? A: Yes! Build quality plugins, contribute to the community, and apply for verification.

Q: What if I need a feature only available in a community plugin? A: Evaluate the risk vs. benefit. Check the source code if available, and proceed cautiously.

Q: How do I report a malicious plugin? A: Use GitHub Security Advisories or contact maintainers directly with evidence.

Last updated: November 23, 2025