diff -r 657b88e36ab8 -r 507162614281 HWPFormat.wiki
--- a/HWPFormat.wiki	Thu Jan 22 14:21:01 2015 +0000
+++ b/HWPFormat.wiki	Thu Jan 22 14:53:05 2015 +0000
@@ -83,7 +83,11 @@
 Using HWP is not without problems.
 
 === Security risks ===
-Since HWP files can also include Lua files, there is the danger that someone may trick you into installing a HWP containing a malicious Lua script. Hedgewars does not really have many protections against this. The only thing we can say now is that you should not blindly trust random users giving you HWP files. When in doubt, check the contents of a HWP file by yourself by using your favourite Zip program. HWP files without any Lua scripts should be safe.
+Since HWP files can also include Lua files, there is the danger that someone may trick you into installing a HWP containing a malicious Lua script. Theoretically Lua scripts should not be able to directly write into any files, especially outside of the Hedgewars `Data/` directory. But security has not been intensively tested and there is always the risk of security vulnerabilities in Hedgewars itself.
+
+Another potential risk are PNG files which contain a virus.
+
+The only thing we can say now is that you should not blindly trust random users giving you HWP files. We recommend you to only use HWPs from sources you trust. When in doubt, check the contents of a HWP file by yourself by using your favourite Zip program, or don't install the HWP at all.
 
 === Conflicts ===
 Conflicts happen if there are multiple active HWPs which provide a file with an identical name. Hedgewars will resolve those conflicts silently by using the order or precedence (see above), but this behaviour may still have unexpected effects, since the other file from the other HWP file becomes “invisible”. It is a good idea to check your installed HWP files for any “garbage” from time to time and delete those you don’t need.