Using obfuscated plugins puts game developers at risk, according to a member of the official RPG Maker forums.
In a thread discussing the encrypted VisuStella plugins, Faherya wrote a post pointing out a big problem with them:
1) If you don’t know what’s there, your data and your machine are at risk.
2) If you ignored the first point, you are exposing the machines of the people to whom you plan to distribute the project. And if there is a problem, the responsibility is yours. From virus infections or data leaks, it will be left to you judicially.
3) It is not feasible to carry out tests to find out if the script is doing what it says to do in the best way. Closed source cannot be audited and, consequently, optimized.
The above was posted on August 22, 2020. Unfortunately, further discussion wasn’t allowed. RPG Maker Web saff member and VisuStella team member Archeia closed the thread without giving anyone the chance to address the concerns raised by Faherya.
Obfuscated plugins hide their source code, which means that game developers using them don’t know exactly what the code does. It could be doing anything, from opening up the doors for more elaborate malware, to mining cryptocurrencies in the background, gathering usage statistics or even searching the computer for personal files or data to send to some server somewhere.
To be fair, the obfuscated plugins aren’t likely to be doing any of that, but if they do, and the players of games that use those plugins find out, they are going to blame whoever made the game, not the authors of plugins used in the game.
Even if the plugin authors themselves don’t put malware into their obfuscated plugins, someone could add obfuscated malicious code to one of these plugins and distribute the edited, evil version — and no one would know, because it’s all obfuscated.
If any problem arises, players are going to blame the author of the game.
Do you think the risk is worth it?