[SDPhantom]

In all honesty, running within the parameters Blizzard allows us through the addon system, there can be some nasty code if someone knew what they were doing.

For example, I've had a private project that would prove the concept of being able to remotely run Lua code on another player's machine. The addon code ran similar in the way a trojan virus does. The user would unwittingly install the code and have it run. While running, the addon would allow remote access to the host system and wait for additional code to be sent from a remote source for it to execute. Unlike a normal computer virus, there is no way for addon code to propagate itself to infect other machines or even other addons on the same machine.

For security purposes, I've kept the code to myself and integrated a secure login system so nobody else could take advantage of it while I was testing. The person I ran the test with as a host is a RL friend who fully agreed to assist me in the test, and in fact, supplied me with different things he wanted to see me make his character do. I supervised the removal of the code from his machine afterward.

Being run as a pure WoW addon, there were still the same limitations on the code I could have run. However, nothing could stop such code from being able to send the game into an infinite loop, causing it to freeze, messing with the UI, or read the WoW API to track player status and location. This would be among the usual list addons can do including the ability to send chat and emotes through the host player, spy on communications to and from the player, direct access to bags/inventory and in specific circumstances, player/guild banks, mail, guild control, etc.

A lot of damage can be done in-game from such an addon, but once found, it'll be as easy to remove as deleting the code and restarting WoW. and because of the nature of the WoW environment, an addon is unable to access anything outside of the game.