> username = r.config.logged; // stealing reddit username and sending them to your own server
That seems like a pretty good unique identifier, but I think it could be hashed for privacy.
> socket.on('alert_autoclick', thebutton.click() ); // click the button automatically when your server tells it to
Isn't that the whole point of this extension, to click the button when the server tells your browser to? It seems like you're implying that's a bad thing.
> socket.on('reload', location.reload() ); // reload page when your server asks to inject new code from it
This seems to be the most common JavaScript live updating technique (reload when websocket says so is what grunt watch uses). Again, it seems like you're implying that's not normal.
username = r.config.logged; // stealing reddit username and sending them to your own server
socket.on('alert_autoclick', thebutton.click() ); // click the button automatically when your server tells it to
socket.on('reload', location.reload() ); // reload page when your server asks to inject new code from it
and the server code isn't even publicly available...
is this a joke? do you know what malware is?