docs: state plainly that plugins run as trusted code

andreogle · andreogle · commit 0f1ee268b9eb · 2026-05-12T18:02:31.000-05:00
Add a danger admonition to the Plugins page (and a one-liner in the config
reference): a plugin runs in the airnode process with its env, filesystem, and
signing key — no sandbox; `onBeforeSign` plugins effectively share signing-key
authority. `config:` is a configuration mechanism, not a security boundary —
only run plugins you'd trust with the private key.
diff --git a/book/docs/config/plugins.md b/book/docs/config/plugins.md
@@ -48,6 +48,9 @@ startup** — a missing or malformed value (a typo'd URL, an absent required key
 than surfacing at first-request time. If a plugin exports no schema, the shape is the plugin's own responsibility; if a
 plugin doesn't accept config at all and you give it some, it's ignored with a warning.
 
+`config` is a configuration mechanism, not a sandbox: plugins still run as trusted code inside the airnode process. See
+[Plugins → trust](/docs/plugins) before adding one.
+
 ## Source resolution
 
 The `source` path is resolved relative to the config file's directory, not the working directory. This means the same
diff --git a/book/docs/plugins.md b/book/docs/plugins.md
@@ -8,6 +8,20 @@ sidebar_position: 9
 Plugins extend Airnode's request processing pipeline. They can reject requests, modify parameters, transform responses,
 alter encoded data, and observe events -- all without modifying the core node.
 
+:::danger Plugins run as trusted code
+
+A plugin runs **inside the airnode process** with the airnode's full privileges -- its environment variables, its
+filesystem, and its signing key. There is no sandbox. An `onBeforeSign` plugin can substitute the exact bytes the
+airnode signs, so it effectively shares signing-key authority (the airnode logs a `SECURITY:` warning at startup listing
+any such plugins). The `config:` block (below) is for clean configuration -- explicit, validated, no implicit
+`process.env` grubbing -- **not** a security boundary.
+
+**Only run plugins you would trust with your private key.** Pin and review plugin sources the same way you protect the
+key itself; when running third-party plugins, prefer real environment variables or a secret manager over an on-disk
+`.env` (a plugin can read files the airnode can reach).
+
+:::
+
 ## Hook overview
 
 Six hooks fire at specific points in the pipeline:
