Comment by Terr_
2 months ago
> I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program.
If you're feeling extra-paranoid, the XPI file can be unpacked (ZIP) and to check over the code for anything suspicious or unreasonably-complex, particularly if the browser-extension is supposed to be something simple like "move the up/down vote arrows further apart on HN". :P
While that doesn't solve the overall ecosystem issue, every little bit helps. You'll know it's time to run away if extensions become closed-source blobs.
You can also, more conveniently, plug an extension's URL into this viewer:
https://robwu.nl/crxviewer/
Now I have to trust that viewer doesn't hide the malicious code, nor that my browser does (presumably from an existing untrustworthy extension)
It'd have to be adept at spotting it in all its forms first in order to hide it, which seems expensive for a free viewer