Or, more deviously, as a way to insert code that doesn't need your add-on activated to execute.)Anyhow, that got me thinking. The ability to write files to a computer is enough to deliver malware. If I'm not mistaken, I could write a simple ToME add-on that changed your Firefox homepage to a proxy for your regular homepage which intercepted your keystrokes. I could grab a few email passwords that way. And that's hardly the most devious I could get.
I realize that anything one downloads and runs has the potential to be malware. The open source nature of interpreted code is nice, but that just means that interpreted malware would get identified faster than compiled malware. Is there anything ToME does to protect against malicious add-ons? Is there anything it can do? I believe DarkGod scans the code of everything uploaded, but I'm not sure that's enough to prevent problems-- it wasn't enough to prevent my initial, bugged add-on getting uploaded.
I'm not just concerned about this possibility-- I'm a little excited about it, although I'd never do it. The same as I like to watch gangster movies, even though I'm not a murderous thug. What's the worst scenario anybody can come up with for ToME malware?