Macworld: News: Dashboard: Widget (In)Security: Widgets are owned by the user, and can do anything that a user can do. For instance, they can remove files from your home directory without asking permission. They can run anything from the command line that a user can. They can call any AppleScript that a user can. If you’re now starting to get a little nervous, you’ve got the right idea.
[Via Backup Brain.]