Org provides tools to work with the code snippets, including evaluating them.
Running code on your machine always comes with a security risk. Badly written or malicious code can be executed on purpose or by accident. Org has default settings which will only evaluate such code if you give explicit permission to do so, and as a casual user of these features you should leave these precautions intact.
For people who regularly work with such code, the confirmation prompts can become annoying, and you might want to turn them off. This can be done, but you must be aware of the risks that are involved.
Code evaluation can happen under the following circumstances:
Source code blocks can be evaluated during export, or when pressing C-c C-c in the block. The most important thing to realize here is that Org mode files which contain code snippets are, in a certain sense, like executable files. So you should accept them and load them into Emacs only from trusted sources—just like you would do with a program you install on your computer.
Make sure you know what you are doing before customizing the variables which take off the default security brakes.
When t (the default), the user is asked before every code block evaluation.
nil, the user is not asked. When set to a function, it is called with
two arguments (language and body of the code block) and should return t to
nil not to ask.
For example, here is how to execute "ditaa" code (which is considered safe) without asking:
(defun my-org-confirm-babel-evaluate (lang body) (not (string= lang "ditaa"))) ; don't ask for ditaa (setq org-confirm-babel-evaluate 'my-org-confirm-babel-evaluate)
Org has two link types that can directly evaluate code (see External links). These links can be problematic because the code to be evaluated is not visible.
Function to queries user about shell link execution.
Functions to query user for Emacs Lisp link execution.
Formulas in tables (see The spreadsheet) are code that is evaluated either by the calc interpreter, or by the Emacs Lisp interpreter.