The wariness should extend to .ado code as well.
It's a fair bet that almost all downloaders of
.ado code never look inside, but anyone nasty
could easily include Stata commands that do
very nasty things, although I won't spell out
any examples even in broad terms, obvious though they
will be to many readers. And that needn't
include shell calls.
In practice, I have not heard of any such thing
in 14 years of using Stata and following the community
closely. The naughtiness of
Stata programmers does not, it seems, extend beyond
some occasional dilatoriness in fixing known bugs.
More positively, those who distribute code do so
for some mix of reasons, which can simultaneously
include (a) they are nice, friendly people
(b) their gratification includes the extent to
which other people use their work. Any reputation
would be destroyed instantly by one nasty program.
Among other things, I would barely trust any program
distributed by anyone using a pseudonym. Some people
use a pseudonym in communicating with Statalist, which
is their concern. As a matter of curious fact, none of them
appears ever to contribute Stata programs to the
Also in principle, one should be wary of a program
written by someone whose work you have never used before.
I admit that this would make it difficult for a first-time
programmer to be taken seriously, but usually anyone
who starts distributing code has previously contributed
answers to Statalist and shown their expertise that way.
>>> James Muller
Have there been any cases of malicious code being distributed via Stata
plugins? Too easy to track the author, perhaps. It would be just so easy
to do bad things with Mata or plugins. Could even do it so the program
gets over-written with something innocent-looking afterwards.
Is it just me or does this seem like an extremely vulnerable point