I don't know if I'm over-reacting or it's simply my ignorance but.
This plugin: Joplin Plugins - MailPlugin
I tried to look for the source, I didn't find anything on google or github, not even the user, and when you try to look at the source code on the plugin page, it seems to be obfuscated or the output of some bundler/js-compiler, wut?
Can anyone tell?
Yup. Definitely sus. No webpage linked from the plugin within the plugins section of the Joplin application itself and from the joplinapp webpage you can get no information about the project. I would avoid this plugin until someone with greater mojo can investigate.
Searching for their username brings up a github profile that has, as its only public project, a repo for that plugin: GitHub - MrHipppo/joplin-mail-plugin: A Plugin for Joplin to get Notes from a Mail address
The contents of the index.js file on the page you linked is also pretty normal, if you check it out for any other plugin - that's not the author's direct code, but the result of the building process.
I'm noting that I did not read the plugin source code on their GitHub, but it looks normal at first glance and I see no real reason to distrust it implicitly. I recently wrote two plugins and forgot to include my name and repo in the manifest file for one of them for its first two releases.
I don't trust plugins that don't have clear documentation or links to a project or some such. At best, it shows a lack of rigor and polish and I don't expect the project to be maintained. At worst, it could be something damaging or even a scam. I don't want to have to do detective work to unearth where a plugin is maintained then determine if it is legit, etc.
Hmm, yes especially when the plugin has full access to your emails. That feels wrong to have this in the repository, but in general we can't do much until the vetting process we've been considering is implemented. In the meantime, checking the user and repository is the best option
Regarding a possible vetting process, some parts could probably be semi-automated. Attaching an attempt (probably not the best one) at an automatic review of the aforementioned plugin (my own plugins would benefit from a similar auto-review).
plugin-review.md (4.7 KB)
Yes that's a good idea. Especially for TypeScript, a proper automated review may be possible. Which tool did you use for this one?
This was cursor with the model claude-4-sonnet, and this simple prompt:
review the plugin in this repository in terms of security, stability of the plugin, and stability of the joplin app. flag critical issues.