How can a bookmarklet automatically run without interaction? Is that a security hole?

Last night开发者_运维百科 while listening to turntable.fm, I looked for an auto awesome extension for chrome. I came across a bookmarklet that does the same thing. The thing that gave me pause was that a bookmarklet can take action automatically without me doing anything. How does it do that? Is that a security hole that needs to be fixed? What is preventing someone from social engineering a password sniffer bookmarklet?

---

The How To Use page shows this bookmarklet explicitly run by the user once (when you enter the ID of the button itself), then periodically checks when it can raise the click event to "auto-awesome." A bookmarklet is a hyperlink that has JavaScript instead of a URL, so it can't be executed without the user clicking on it.

Whenever you run a bookmarklet (or initiate any JavaScript, really) you are effectively giving that code permission to act as you with the contents of the current page. This might not be clear to the user, but browsers have a history of not handling bookmarklets specially so I wouldn't expect to see this behavior changed.

A bookmarklet could theoretically be written to sniff passwords, but the user would first have to initiate the bookmarklet somehow on a page where they will be entering a password. This is more an issue of a user running untrustworthy code than a browser having a security hole.