I went through a whole lot of ideas when I was working on how to prevent this in TMW, but in the end, there is no way to make scripts completely safe. You can isolate them into their own environment and allow them access to only a whitelisted set of functions and variables - that would mean no library access, no interaction with other addons, and it would mean I would have to significantly rewrite huge parts of TMW in order to keep any custom scripts away from parts of the addon that could allow them to break out of that environment (if anything could get access to an Ace3 module's embed list, for example, then its completely compromised).
What I ended up doing was just to present users with a dialog any time they import anything that could be executed by TMW. The dialog includes the code itself, as well as a message that says something along the lines of "most of the time, scripts are fine, but there are mean people out there, so don't talk to strangers!". It makes naive attempts to alert the user to any malicious functions (like AcceptTrade, SendMail, etc.), but even the most trivial of obfuscation could get around them. Ultimately, its up to the user (in all cases - not just TMW) to evaluate whether they trust the code and the source of it.
As Cybeloras describes it is possible to obfuscate the code to prevent any "keyword" matching.
Therefore making the only sure-fire solution being an intervention from blizzard.
They would have to adjust the functions themselves, either crippling their functionality or adding in confirmation prompts.
Either of which are going to hurt legitimate addons and honest players.
This isn't a "weakauras exploit", but simply using a very convenient route to do what can be done in traditional addon form.
Originally Posted by DeadmanWalking
I don't understand why we don't have flying so they tell us we will have convenient flight points. Immersion and danger? Here take some coins and fly me there while I read facebook or go take a poop.
Originally Posted by Reinaerd
T'is good to see there are still people valiantly putting the "Ass" in assumption.