You may have recently read the article regarding the severe security flaws that exist in Kodi. If you haven’t then I strongly urge you to do so, you can find it here.
Well this add-on was created immediately after realising just how severe those risks are, the add-on will not forcibly remove content off your system (as suggested in some camps) and does require some basic common sense when using so lets just go through the features and explain what they all do…
This is the main function that will be used the most and it currently checks 4 things:
These are items found on your system confirmed by the development team at NaN to be causing some kind of problems on Kodi installs. Often it’s something as simple as the repository maintainer re-uploading bad versions of add-ons and script modules. whilst it’s unlikely this was malicious intent it can cause considerable problems with your installs such as not being able to update add-ons to working versions. It’s rare the team receive a report on something like this and there are currently only a handful add-ons in this list – we can assure you only items found to be causing problems will appear in this section.
If a developer feels their content has been flagged wrongly they can contact us with evidence that they’ve fixed the issues and we’ll be more than happy to remove from this list. As you can see in the screenshot above you’ll get a warning message explaining how many of these add-ons were found on your system, when you click ok you’ll get a full screen text message explaining what all this means followed by the option to quarantine all or select…
You’ll have the option to quarantine everything or select the items you want to quarantine. If you click the select option you’ll see a screen listing all your add-ons that have been flagged and as you scroll down through them you’ll see a description of why they’ve been flagged. As with all these sections you can choose as many as you want to quarantine, if you don’t want to quarantine any just click cancel.
Anything showing here is content that has been confirmed as depreciated (no longer being developed and dead). The vast majority of the time this is due to website closures and the developer has marked the item as broken in their addon.xml file. The community can also help mark things as broken by using the Add-on Portal and clicking on “EDIT” when they find an add-on they know is broken. Items marked by the community will not appear in this part of the scan though as they are unconfirmed, they will only appear in this section if the developer has marked them as broken or it’s become clear there is no way the add-on can be revived (due to website closures) and NaN admin have marked it up as such. This generally only happens if a the original developer is no longer active and is not maintaining their addon.xml file.
If the system comes across anything that’s not scanned into the Add-on Portal then it will show as unknown. This is not a bad thing, it just means the system cannot verify the legitimacy of it. If you come across any add-ons like this please post up on the forum with full details of where the add-on can be obtained (preferably a repository) and it can be added to the portal. Alternatively any members with 5 or more posts can add details of new add-ons themselves via the Add-on Portal homepage, you’ll see a link in the very first piece of text.
If the system finds an item that’s showing as a new version available on the Add-on Portal it will notify you. This is extremely useful if you’ve installed via a zip without the correct repository being installed, unless you install the relevant repository you WILL NOT receive automatic updates in Kodi so when the add-on breaks it will stay broken on your system. Due to a lot of misinformation on blog sites, YouTube and social media there is a lot of confusion over what exactly a repository is… If you enter a URL into your filemanager that is NOT a Kodi repository – that is just a source where you can install zip files from. It performs no other function other than an easy way to find zip files, if you want an add-on to auto update you must have the relevant repo installed too and this is where this function comes in handy as you can see in the screenshot above. If you already have the relevant repo installed the system will just push an update notification to Kodi and take you to the built-in Kodi add-ons section (in settings).
This doesn’t make any calls to noobsandnerds whatsoever, it sends a command to Kodi to check all the repositories for updates. In the Kodi log there is some information which says whether or not any of the repositories failed to resolve, this is usually due to having repositories on there which were quick flash in the pan ones for things like IPTV. Often money making schemes, here today gone tomorrow types. That being said there are a number of other reasons the URL didn’t resolve; could be the server the developer is hosting their content on is failing for some reason (could be a temporary thing), could be the developer accidentally pushed a bad update or it could just be the website the developer was using for hosting is no longer available. There are hundreds of devs that used to host their content on the googlecode servers and they are all now dead so if you have any of those they will certainly be flagged in here.
What should I do with items in here?
Well that’s a decision only you can take, the best solution is to do some googling and find out if you can see any information on why that particular repo is suddenly failing. If you contact the developer they would be able to let you know whether or not it’s due to come back. Keeping old unused repositories is a severe security risk so we highly recommend removing them as soon as they are no longer working. See this page for full details.
It may be you have some items on your system which are being flagged during the the scan but you’re happy with the legitimicy of them and don’t want them to show up in future scans. Well that’s absolutely fine and very easy to do, just click on this option and you’ll then be able to add/remove as much as you want to and from your whitelist as shown below:
Accidentally put something in quarantine that you shouldn’t have? Don’t fear it’s very simple to restore your quarantined items, just click on this option and it will list all the items you currently have in quarantine. Tick the items you want to restore and that’s it – they will be moved back and you’ll be kicked back to the Kodi homepage as the profile reloads. Please note this option only appears if you actually have content quarantined.
The items in here are designed for the more technical users who want to know more about what’s on their system so let’s have a look at the options…
Show add-ons capable of running system tasks:
This will scan through all your add-ons you have installed and look for certain keywords. It will check for any reference to os.system and subprocess.call commands. There are perfectly legitimite reasons why these can be used, sometimes there’s no alternative for performing some maintenance based tasks other than using system commands (force close for example). However these commands could well be used for injecting bad code or gaining control of your system so if you are worried about an add-on using one of these commands you should check the code to double check just what system commands it’s sending. I can tell you now that Community Portal uses the os.system command for the kill Kodi function, it’s only called if and when you choose the force close function.
Show add-ons running as a service
This will scan your addon.xml files to see which add-ons run as a service. Running as a service is fairly common these days especially if some kind of routine maintenance task is to be carried out. As an example you can set Security Shield to automatically scan every so often and Community Portal has the ability to clear stale cache on a regular basis. If you have an add-on with library integration then there’s a good chance that will also be running as a service as it will be checking periodically for updates on the web.
All that being said it’s a very easy way for hackers to do some data mining, a service really could be run to perform any kind of task so be very careful when installing content and if you see an add-on in here that doesn’t appear to have any reason as to why it’s running as a service we recommend contacting the add-on developer who should be more than happy to explain the situation to you.
It’s worth noting that even if you don’t have the add-on setup to be running as a service Kodi will still see it as a service. Lets take Security Shield as an example… If you have the auto-scan disabled in the settings Kodi will still open the python code and run it as a service but the code then tells Kodi “hey it’s ok, don’t bother running any of this code as the user has the option disabled”. So before jumping to conclusions with any add-on devs please bare that in mind, it will show false positives and ALL add-ons capable of running as a service will show.
Unobfuscate (decompile) an add-on
For any nerds out there the title is actually a little misleading as it doesn’t actually unobfuscate as such. If you have an add-on installed and you’re concerned about the code it may be running you may find some devs choose to encode their work using base64 encoding. To decode it back to normal text is dead simple, you just need to change the exec command to print – it really is that easy! However this will do the hard work for you and will even loop through running the process several times if needed until a human readable code has been found.
Delete from quarantine vault
Use with care! If you select this option it will completely remove an item from your quarantine vault. WARNING: Once it’s gone there’s no getting it back, having things in your vault is not a security risk but if you’d like to remove it anyway then this is the option for you.
Below is the initial video guide which was created for the first release. There have been some nice improvements and new features since then but it’s a good starting point.