Alfred Gallery is a website and system maintained by the creators of Alfred.
Workflows hosted on the Alfred Gallery are subject to automatic and manual security checks, then notarised and signed using strong cryptography. Alfred will only install or update Gallery workflows where there is a valid signature.
Public workflows are overwhelmingly open source and their inherent structure makes them auditable, allowing Alfred’s active community to detect possible foul play if it were to ever happen. There has never been a known case of a malicious workflow.
Some companies have a policy prohibiting them from installing workflows from third-parties. The Alfred team maintains a number of official workflows available to everyone.
A small number of workflows include a compiled binary. macOS requires these executables to be signed and notarised by Apple, cryptographically linking them to the registered Apple Account of the developer and ensuring they have been uploaded to Apple for review as part of their macOS Gatekeeper security feature.
While we validate Apple’s notarisation of a compiled binary, it’s not possible to check their content. As such, we mark these workflows with a banner under the Install button, so that you can make a judgement on whether you’d like to use them.
A few authors bundle third-party libraries with their workflows, to aid in various tasks. For instance, Python developers may rely on the popular urllib3 package to make web requests easier.
While these packages are generally trustworthy and may receive security audits from their indexers and independent researchers, the sheer volume of code they include makes it impractical, even for workflow authors, to verify every change in every update. As such, we mark these workflows with a banner under the Install button, so that you can make a judgement on whether you’d like to use them.
Alfred Gallery does not collect your data.
When Alfred accesses the Gallery to check for workflow updates, no personal information is sent. Furthermore, transferred data is encrypted and never written to disk.