If someone builds a custom weakauras for me, is it possible he could put malware in it?
There could potentially be malicious Lua in it but not malware per-sey.
Malware, no. Weakauras, like all addons, run entirely within WoW and have no access to write anything outside that context.
It is theoretically possible they could write a Weakaura that scams you in-game, by silently deleting all your gear or trading away all your gold, but that’s unlikely.
Either have a person you trust make the Weakaura, grab one from wago.io (they do code review on their submissions), or build it yourself (it’s not as hard as it initially seems unless you want some really crazy custom stuff).
In classic wow, blizzard made a ton of things accessible through it’s publicly usable wow API’s. That allowed someone to steal another players gold when the thief gave that his victim a weakaura string to import and the victim didn’t check what the WA did.
Over time blizzard has tightened up their apis to prevent this kind of thing. But because classic wow is supposed to be “just like vanilla” and players got the earlier, less safe, apis.
Weakaura is as safe as any wow addon. The import strings you get from wago.io are already scanned for possible problems by wago itself, and you can check the custom code on a weak aura before importing it.
There’s still the possibility that someone will be able to find a security flaw in blizzards apis, and then convince unsuspecting people to import a weakaura string that uses that exploit to do mean things. Weak auras isn’t the only addon that could be leveraged to take advantage of that exploit at someone else’s expense.
Downloading from known trusted sources (like wago) helps protect yourself. Don’t import weak aura strings from people you don’t really know and if you do, examine the code if there is any.
You guys think the inevitable demise weakauras by wizenink#2721
is safe?
it has: 13 stars, 900 installs, 7k views…
which isn’t much so i’m kinda paranoid lol
There’s no custom code in that WA at all.
If you go to the editor tab and click the Table data dropdown it’ll show you. Also, wago scans all the WAs on their site for malicious code.
2 Likes
Yeah i can’t read LUA never used it :"(
but ty for heads up! 
Could they harm you, yeah!
This is why, just use wago and download only highly rated ones.