Alfred Gallery is a website and system maintained by the creators of Alfred.
Workflows hosted on the Alfred Gallery are subject to automatic and manual security checks. Once a workflow has passed these, they are notarised and signed using strong cryptography. Alfred will only install or update Gallery workflows where there is a valid signature.
There has never been a known case of a malicious workflow. The overwhelming majority of public workflows are open source and their inherent structure makes them auditable, allowing Alfred’s active community to detect possible foul play if it were to ever happen.
Some companies have a policy prohibiting them from installing workflows from third-parties. The Alfred team maintains a number of official workflows available to everyone.
A small number of workflows include a compiled binary to perform a specific task.
Alfred Gallery requires workflows with binaries to both make the source code available for review and to be signed and notarised by Apple. This ensures that binaries are cryptographically linked to the registered Apple ID of the workflow developer, and that the binary has been uploaded to Apple for review as part of their macOS Gatekeeper security feature.
While we validate Apple’s notarisation of a compiled binary, it’s not possible to check their content, even after reviewing the provided source code. As such, we mark Workflows which contain a signed binary with a banner under the Install button, so that you can make a judgement on whether you'd like to use it.
Alfred Gallery does not collect your data.
When Alfred accesses the Gallery to check for workflow updates, no personal information is sent. Furthermore, transferred data is encrypted and never written to disk.