• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

How safe is Winget and downloadable sources?

D

dvxtawa5lrwb

New Member
Joined
Jun 1, 2025
Messages
28 (0.62/day)
I am coding a shell script similar to WinUtil. Without any coding knowledge, it is going really well thanks to AI. The script has app download function. Let's say I told AI to add WhatsApp installation button and it uses Winget method. How can I verify that the source is safe? Because I want to add many programs to it, but I'm not sure if all the programs are officially added to winget or how it really works.

Let's say I want to add WhatsApp and WARP to my script. Should I use those codes is this page?

Download and install WhatsApp with winget

WhatsApp Messenger, or simply WhatsApp, is an American freeware, cross-platform centralized messaging and voice-over-IP (VoIP) service owned by Facebook, Inc. It allows users to send text messages and voice messages, make voice and video calls, and share images, documents, user locations, and...
winget.run winget.run

Download and install Cloudflare WARP with winget

1.1.1.1 with WARP replaces the connection between your device and the Internet with a modern, optimized, protocol.
winget.run winget.run

Is there a possibility that AI may accidentally choose sketchy sites and use their line in my code and I download a fake Telegram, etc.?

Could you please give me some basic and short information and explanation?
 
dvxtawa5lrwb said:
How can I verify that the source is safe?
Click to expand...
You can look at what is being called in the code; but I will be honest, in just asking some of these questions it seems you have no experience in this and are relying on AI to do not only the heavy lifting but the actual thought.

dvxtawa5lrwb said:
or how it really works
Click to expand...

In your case whatsapp seems to be called from the whatsapp repo. Like almost everything else it seems to be third party.

github.com

GitHub - winget-run/wingetdotrun: Finding winget packages made easy

Finding winget packages made easy . Contribute to winget-run/wingetdotrun development by creating an account on GitHub.
github.com github.com

dvxtawa5lrwb said:
Is there a possibility that AI may accidentally choose sketchy sites
Click to expand...

Of course. Especially if you are modifying the repos and getting apps from different sources. A lot of tools are community driven and as such can be unsafe.

You can read more about how all of this works at the official winget repo (by microsoft) though I warn you, it may be a bit above bar for you.

github.com

GitHub - microsoft/winget-cli: WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface).

WinGet is the Windows Package Manager. This project includes a CLI (Command Line Interface), PowerShell modules, and a COM (Component Object Model) API (Application Programming Interface). - micros...
github.com github.com
 
Solaris17 said:
You can look at what is being called in the code; but I will be honest, in just asking some of these questions it seems you have no experience in this and are relying on AI to do not only the heavy lifting but the actual thought.
Click to expand...
I am not a total newbie, but I think calling myself experienced would be a disrespect to the others that are really experienced. Because at the end of the day, I am still a newbie who asked the simplest winget question.

I already have a decent, flawlessly working shell script with a perfect GUI. I know how to use AI and whenever I make an improvement on the script, I test everything to make sure it's flawless every time. I am just worried about the sources.

Solaris17 said:
Of course. Especially if you are modifying the repos and getting apps from different sources.
Click to expand...
I mainly get the codes from winget.run website. I also read that "winget show" function can be used to verify the real source or whatever for the installs. How accurate is it and can it really be used to verify them?
 
dvxtawa5lrwb said:
How accurate is it and can it really be used to verify them?
Click to expand...

Its a community repo, the correct answer is that it cannot be trusted. Unless you find the repo or site hosting the package winget is calling and contact those administrators we here at TPU cannot tell you that the package is safe and has not been intercepted or tampered with.

If security is paramount to you, then eventually as maybe an extension of your project and skill you can download known clean copies of these tools and host them yourself and call those with winget. You could also check it against known good hashes from manual downloads you got yourself.

Until then it is a roll of the dice. Though for the most part high visibility community packages are likely going to be just fine for what its worth.
 
Solaris17 said:
Its a community repo, the correct answer is that it cannot be trusted. Unless you find the repo or site hosting the package winget is calling and contact those administrators we here at TPU cannot tell you that the package is safe and has not been intercepted or tampered with.

If security is paramount to you, then eventually as maybe an extension of your project and skill you can download known clean copies of these tools and host them yourself and call those with winget. You could also check it against known good hashes from manual downloads you got yourself.

Until then it is a roll of the dice. Though for the most part high visibility community packages are likely going to be just fine for what its worth.
Click to expand...
I guess we can say it is as safe as WinUtil, but also as unsafe as WinUtil since we all use Winget and Choco methods.
 
dvxtawa5lrwb said:
I guess we can say it is as safe as WinUtil, but also as unsafe as WinUtil since we all use Winget and Choco methods.
Click to expand...

Yup. Like everything else, your fine until you get got. Enjoy the project!
 
Ignoring potential for malicious packages, winget can be a headache when it comes with additional headaches, like with sometimes installing updates alongside older versions rather than replacing them and a few others that don't come to mind right now. Don't bother with it unless you have a particularly good reason to.
 
WinGet (as a tool) is safe, as it is a Microsoft thing. The package sources however, are community maintained so there's always a possibility of nefarious activity. Chocolatey is another such package manager that may achieve your goals. As for AI - I wouldn't say don't use it, but definitely review any and all output you get and try to understand exactly what it is doing.
 
You must log in or register to reply here.
Back
Top