Set Arrival Time was reported 25-03-2026 for Undisclosed antifeature (e.g. ad, tracking, miner, etc.)
Hello GreasyFork Team,
I am writing to report a serious privacy concern regarding the following userscript published on your platform:
Script: "Set Arrival Time"
Author: FunnyPocketBook
Namespace: FunnyPocketBook
Version: 3.2.4
Upon reviewing the source code, I discovered that the script contains deliberately obfuscated code that covertly transmits personal user data to an external third-party server without the user's knowledge or consent.
Specifically, the functions resolve_tw_token() and rotate_tw_token() are designed to obscure a hardcoded external URL through a multi-step character substitution scheme. On the first page load, the script silently sends the following data via an HTTP POST request to this external server:
- The player's in-game name
- The player's account ID
- The game world the player is active on
The intentional obfuscation of the target URL is a strong indicator that this data collection is deliberate and designed to avoid detection. There is no disclosure of this behaviour anywhere in the script's description, metadata, or comments. Users installing this script have no way of knowing their data is being transmitted to a third party.
This appears to violate GreasyFork's own rules, which prohibit scripts that "send personal data to a third party without disclosing this in the script's description" as well as scripts that use obfuscated code for malicious purposes.
I kindly request that you:
1. Remove or suspend the script pending investigation
2. Notify users who have installed it
3. Review the author's other published scripts for similar behaviour
I am happy to provide the specific relevant code sections if needed.
Thank you for your attention to this matter.
Best regards,
ayhmeh
FunnyPocketBook (the reported user) has made:
This report has been upheld by a moderator.