Share custom lenses with other users

Vlad

riddley Great idea!

In few brief sentences:

How would you imagine the UI for this ?
Do you imagine we would have to manually approve every user submitted lens?

riddley

On reflection I didn't think about security. I think it would be possible for an attacker to craft a malicious lens for phishing or malware distribution. Even with a manual review it would be tricky because the attacker can change the DNS of included domain names after approval. So I'm going to withdraw my suggestion for publicly published lenses. If you can think of a way to do it safely it would be very cool.

I think sharing lenses with other uses is still practical because everyone has a registered email address.

Here's how I imagine it working:

next to the lens is a share button
when sharing, the creator enters a list of email addresses of other users. Kagi would check they are registered users
Kagi generates an automatic email to the recipients
the recipient gets an email that says something like "Kagi user with this username and email has invited you to share a lens. Only accept this if you know and trust this user. Click here to accept"
when the recipient clicks the link the lens gets added to their list

riddley

Actually reflecting further... if Kagi is generating the emails it could be a vector for harassment (e.g. repeatedly sending unwanted lenses to someone with sites that link to violent/sexual content). It seems unlikely but since the possibility is there you'd have to build a report/block mechanism which is a lot of overhead.

Second attempt:

Next to the lens is a share button
When clicked, the button generates a copyable URL (somewhat like a Dropbox share link)
The user can share that link however they choose: email, private chat etc
When a registered Kagi user clicks on the link, they get taken to a page that shows them the lens and says "This lens was create by user with this username and email. Only add it if you know and trust this user"
If they choose to add it, it gets added to their list with a note saying who created it
If the recipient isn't already a Kagi user they get an appropriate message explaining what the link is

This could still be used as a vector for phishing/malware but because the user is identified by their real email, I think the risk is negligible

I think that shared lenses should be copied, not referenced, so if the creator changes the lens it doesn't update the recipient's lens, for safety reasons.

z64

The implementation I suggested in past discussions is similar, but slightly simpler.

You get a sharable link for a lens.
Opening this link opens the Create Lens Form with that lenses settings pre-filled.
You can make any changes you want, then save it.

For discoverability outside of direct sharing, I would like to see something like:

A toggle on your lens that publicly lists it.
We add a UI to search for published lenses by certain criteria.
You can copy them just as above, or "Follow" them to sync changes from the author.
Maybe some kind of ranking. Either number of followers, or upvotes. (Or both)

riddley

z64 Agree with this approach, except that I think that the risk of an attacker creating lenses for phishing is real and should be addressed in the UI.

z64

This could still be used as a vector for phishing/malware but because the user is identified by their real email, I think the risk is negligible

riddley Could you clarify the phishing concern? I don't think we will ever show you other user's emails. When the need has arisen in the past for Kagi users to communicate or share things, we've explored implementing a settable display/username that will be public-facing.

riddley

The attack is that a malicious user creates a lens with a malware/phishing site in it

seventhwave

Hello Vlad and riddley

Just an idea.
I really share your security concerns; how about cloning/customizing the built-in Kagi lenses?

Something like:

"I use everyday the programming lens, but I'd like to add the site X, Y and Z to the set"
go to lenses settings, select "Programming" lens, click on a button like "Customize"
insert other sites to add during the search, and
give to this lens a custom name and save
another lens will be created, customized for the user

Pro:

no security issues: centralized handling of sources
no virality problem: there's no URL exchange from a user to another
no need to list the URL of the builtin lenses (they could be invisible as today)

Cons:

perhaps some impact on the infrastructure? Maybe something has been optimized on the builtin lenses execution path

What do you think?

jetpestlock

I came here to suggest this same feature and like @riddley, I had not considered the security implications. It would be possible to ask the user to verify each of the domains in the inclusion list before saving with a very stern warning. That would not be a great feeling and would put a lot of work on the users plate.

Perhaps, the lens could be published to some site and then we could use a "crowdsource" model to vet and vote and verify. Maybe the lens would need some number or level of verifications, almost like a code review on Github/Gitlab, before it would be available for others to add to their own settings.

Vlad

jetpestlock As you realize yourself it becomes very complciated with potential liability for us.

We will enable sharing of lenses in business/team accounts when we have that.

jetpestlock

Vlad That makes perfect sense to me.

Vlad

seventhwave You can already do that for lenses that are 'plain' you can just view the lens and see what sites are in there (eg Recipes lens)

For custom built in lenses, we use special backend code to drive them, which can not be cloned/modified.

Johnbyurn

Vlad you mention that for kagi supplied lenses there's special code to implement them.

It would be interesting if that was open or at least somewhat open, just to see what sort of unique lenses the community could create - and for some way for kagi to include the most useful of those.

Nankeru

A "Lenses store" would be amazing to search for lenses other users shared publicly.

kf

@Vlad is there a Lenses Store now? It seems that we're supposed to see more:
example

But there's only a handful here: https://kagi.com/settings?p=lenses

Shouldn't there be a lot more? And shouldn't we be allowed more than 20 simultaneously?

z64

kf We have not yet made a "store" - I believe there is a seperate ticket on the forum for such a thing. It's a much more complicated task. For now we just enabled sharable URLs so that users can share them with friends, forums, make their own showcases etc. in the meantime.

kf

Thanks. Kinda sad to hear that @z64. I have a feeling that there are ways to use it that I'm missing and just not yet seeing/envisioning. Have you considered pinning a "Share Your Lenses Here!" forum entry yet?