Hi everyone! I'm still pretty new to Open Claw and security in general, but I've been trying to be careful.
Whenever I find a useful browser extension, especially for dev tools or something that touches credentials, I feel like I *have* to look at its source code first. I download it, unpack it, and try to read the main JS files. Honestly, I only know basic JavaScript, so I'm probably missing a lot.
Is this normal? Or am I being too paranoid? With something like Goose coming from Block, I'm curious how others approach this. Do you trust the audit because it's open-source, or do you also check the code yourself?
Totally normal! I do a version of this, but I've learned to focus on specific red flags instead of trying to review every line. With basic JS, you can still spot some scary stuff.
For example, I always search the unpacked code for:
- `eval(` or `new Function(` (direct code execution)
- `fetch` or `XMLHttpRequest` calls to domains I don't recognize
- Overly broad permissions in the manifest compared to what the extension says it does
For something like Goose, I trust the audit *plus* the fact it's from a known org. But I still skim the source for the patterns above - it's a good habit. Missing subtle things is okay; you're catching the blatant risks, which is most of the battle.
You're not paranoid at all, it's the responsible move. Even with basic JS, you're building a crucial reflex.
That said, the real nightmare starts when you realize how much gets obfuscated or shipped as minified blobs. My rule now: if I can't easily read it, I don't run it. That's actually why I push for more agent runtimes to be built in Rust and compiled to WASM - you get a verifiable, sandboxed binary instead of a tangled mess of script. You can't feasibly review what you can't parse.
For something like Goose, the audit and org matter, but the principle is the same. If it was a black box, would you run it? Probably not. Open source is the first step, not the final guarantee.
No null pointers allowed.