Duolingo Farm Pro was reported 23-04-2026 for Undisclosed antifeature (e.g. ad, tracking, miner, etc.)
GreasyFork Violation Report — Undisclosed Antifeatures
Report Category: Undisclosed antifeature (tracking, payment, malicious data collection)
Script Name: Duolingo Farm Pro
Script Version: 2.0.3
Author: LucaN
Summary
This script contains multiple undisclosed antifeatures that are required by GreasyFork policy to be declared via
@antifeaturemetadata tags. As of the current published version, the script header contains zero@antifeaturedeclarations despite exhibiting behavior that falls under at minimum three distinct antifeature categories.Additionally, one behavior identified during analysis constitutes a security risk to end users independent of platform policy.
Finding 1 — Undisclosed External Data Transmission (Tracking)
Required tag:
@antifeature trackingThe script extracts the authenticated user's Duolingo JWT token directly from browser cookies at runtime:
const jwtToken = document.cookie .split('; ') .find((cookie) => cookie.startsWith('jwt_token=')) ?.split('=')[1];This token is subsequently transmitted on every API call to a third-party server (
duoapi.smoteam.com) via theAuthorizationheader:headers: { Authorization: state.token, // Bearer <user JWT> 'X-License-Key': state.licenseKey, ... }The endpoints receiving this credential include XP farming, gem farming, streak manipulation, item claiming, account creation, and follower boosting — effectively forwarding the user's full session credential to an external service with no disclosed privacy policy, no opt-out mechanism, and no documentation in the script metadata.
GreasyFork rule reference: Scripts that transmit user data or credentials to external servers must declare
@antifeature tracking.
Finding 2 — Undisclosed Payment / License Gate
Required tag:
@antifeature paymentThe script implements a hard license verification gate on startup:
async function checkSavedLicense() { const savedKey = state.licenseKey; if (savedKey) { ... } createLicenseUI(); // blocks UI if no valid key }Features gated behind a paid license include streak farming, Super Duolingo activation, shop item claiming, account creation, and fast gem mode. The free tier (
free_trialkey) explicitly restricts access to these features via CSS class injection (duo-pro-lock).No
@antifeature paymenttag is present in the script header. GreasyFork requires this declaration for any script that restricts functionality based on payment or license status.
Finding 3 — Undisclosed Ad / Monetization Link Integration
Required tag:
@antifeature adsInternal documentation within the script's state comments and source references an ad-link gating system using Link4M and Shrinkearn for key acquisition:
key system with Supabase-based free keys [...] and ad-link gating via Link4M/ShrinkearnWhile the ad redirect itself may occur outside the userscript, the script is the delivery mechanism that enforces the gate. This constitutes an undisclosed monetization antifeature under GreasyFork policy.
Missing Metadata (Required Corrections)
The script
@UserScriptblock should include, at minimum:// @antifeature tracking Transmits user Duolingo JWT token to third-party server (duoapi.smoteam.com) // @antifeature payment Core features locked behind paid license key // @antifeature ads Free license key acquisition requires completing ad-link redirectsConclusion
The script as published fails to meet GreasyFork's antifeature disclosure requirements across three categories. The most severe issue — transmission of the user's authenticated session token to a third-party server — represents a user security concern that warrants immediate review regardless of policy technicalities.
Recommended action: Remove the script from listing pending addition of required
@antifeaturetags and disclosure of the external data transmission behavior in the script description.
Song Or (the reported user) has made:
This report has been upheld by a moderator.