Harold the Rebel has demonstrated how an OpenSocial gadget can run rampant in its container. Because Ning is executing his gadget's code in an iframe that they served up, his widget is able to access window.top.document. As Ning is serving his gadget via proxy, Harold could have initially submitted an innocent version of the widget and then changed it later on.

Ning obviously will start to parse incoming gadgets for malicious code as will every social software service using OpenSocial.

Unfortunately, the gadgets XML format does not use namespaces identified by URIs, much less a widely recognized way to refer to the document author and other essential metadata. As a gadget is essentially a working html document, it should follow all of the conventions of one. These oversights essentially leave OpenSocial gadgets "disconnected" from the emerging data web, increasing the difficulty of forming of a reliable and open web of trust around them.