Figma Support Forum

Auditing plugins for security

My company is very concerned about security, but I also want to be able to take advantage of the many plugins in the community. How can I be sure that a plugin isn’t shipping my designs off to a competitor, or even just collecting analytics that we don’t want?

In the world of open source Sketch plugins, I can view the plugin source and fork my own version if there’s anything I need to remove. Is a similar process possible with Figma plugins?

Some plugins are open source, some aren’t. If the plugin is open source, you can obviously audit it and spin up your own version, but if it isn’t — you can only find the code that runs in the browser and audit it (which sometimes is compiled and obfuscated, so the task wouldn’t be easy).

I have not found any plugins on Community which include links to source. Is that not very common? Is there even a field for that when submitting a plugin?

As it stands I guess I’d have to ask each author if they can provide source.

I guess you could also look at the network tab in the browser’s devtools to see if anything’s headed somewhere it shouldn’t.

There is a description field where authors can put links to anywhere. Just found this list of plugins which are open source: GitHub - thomas-lowry/figma-plugins-on-github: A list of Figma Plugins that have been shared on Github.

Thanks, that’s a good list!

I also found that in the network tab of devtools, I can filter requests with “-domain:*.figma.com”.

I see a lot of calls to “api.segment.io” but I assume that’s just Figma’s own analytics?

Yes. All the requests made when no plugins are running are Figma’s own requests (since plugins can’t run in the background and automatically).