Do KSP mods allow arbitrary code execution?
My kids want me to install some KSP mods. Some mods are just Config files, but I read that others contain C# code. Does this second class of mod allow arbitrary code execution? Could an unscrupulous mod developer install a virus or spyware via a mod, or is the mod system basically an airtight sandbox?
In theory, yes, a mod maker could use a mod to spread malware. This is true of pretty much any 3rd party program, regardless of intent or source.
There are however a couple of safety measures you can take to minimize the risks:
- Only download mods from well-known and trusted sites: Either at Curseforge (https://www.curseforge.com/kerbal/ksp-mods), which is officially endorsed by the makers of the game, OR Spacedock (https://spacedock.info/kerbal-space-program), which was created by fans who were unhappy when Squad (the makers of Kerbal) moved to Curseforge for mods. Both of these sites are well known by the community and have their reputation at stake over their mods being safe to use.
- Make sure all programs on your PC are up to date with the latests patches and updates.
- After downloading a mod, run it through a mass scan tool like VirusTotal or MetaScan before installing it.
- (Advanced) Use Sandboxie or another software sandboxer to install the mod and run Kerbal, to protect the rest of your computer in case a mod does have malware.