Thoughts on a new userscript management platform
It's unclear why anyone should trust ModHub's server administration, so you'll have to find a way to assure people their data is secure and guarantee it'll never be used without an explicit consent.
When a mod sends data (for example, to a third-party site), it goes through ModHub’s servers first, adding metadata like:
Sounds slow, prone to ddos, incompatible with corporate intranets. Anyway, it would require that the userscript extension implements this logic.
Websites can then choose to trust only verified ModHub mods
Such standardization would likely take many years at design stage alone, knowing how W3C works.
Right now, mods that send data to third party website just sees traffic coming from domains like “youtube.com,”
That may be an intended and desired outcome. Browser extensions and userscripts are user's agents by design, they exist to seamlessly augment the web.
and there’s no way to tell which mod actually made that request.
The userscript that wants to be detected by the site's server can do it trivially by adding a header. It can be also an option in the userscript extension (e.g. Tampermonkey).
No more fakes or unsafe clones
There's no easy way to prevent these things. An AI analysis may easily overlook stuff that was cleverly adapted, so you would need many human moderators capable of reading code.
Overall I doubt this could work unless this is genuinely endorsed and backed by a company like Google or Mozilla.
Really appreciate the thoughtful feedback...these are all very fair and important points.
I completely understand the philosophy that userscripts and extensions act as the user’s personal agents (augmenting the web privately and independently). That’s the beauty of the ecosystem, and I’m not trying to change that principle.
Where ModHub’s focus diverges a bit is in a newer category of networked mods: scripts that don’t just modify a page locally but also communicate externally (e.g., sending data to a community site, syncing user info, or interacting with third-party APIs).
In those cases, the “anonymous user agent” model starts to create problems for both sides:
* From the site’s perspective, it can’t tell whether a request actually came from a verified mod or a spoofed copy pretending to be one.
* From the developer’s perspective, anyone can duplicate or modify their script and send data in its name.
You’re absolutely right that adding a custom header or identifier is trivial...and that’s exactly the issue. Those identifiers can be forged, because there’s no cryptographic proof tying a request to the actual, verified code the developer published.
That’s what ModHub is trying to explore, not as a centralized gatekeeper, but as an opt-in verification layer. The idea is that mods can sign their own requests (locally, via a trusted extension) and external sites can verify that signature without ModHub ever inspecting user data. So the verification can happen without breaking the “user-first” philosophy. ModHub isn't trying to replace what practices for userscripts are already done. You'll still be able to freely create scripts, host them on ModHub and utilize them as you would on GreasyFork or Tampermonkey. It's just when it comes to mods that utilize third party sites or send data externally, ModHub makes that process of verification and identification easier (as neither Tampermonkey or Greasyfork provide a foolproof solution to that).
I agree full standardization (W3C-level) would take years, this is more of a practical experiment in how an optional trust layer could work for the subset of mods that rely on cross-domain communication.
It’s still early thinking, and I appreciate the skepticism. It helps refine what actually needs solving and what can be left to existing script managers.
So I guess your idea to prevent the fakes and clones in terms of remote API usage might be achievable if the GM extension connects to ModHub and sends the ModHub's id of the script and a checksum of the script's source code in addition to the parameters of GM_xmlhttpRequest, then ModHub would use some auth mechanism via tokens registered explicitly by the admins of various web sites.
Hey everyone 👋,
I’ve been part of the userscript/modding world for a while, and one thing that’s always fascinated me is how powerful yet underground this community still feels. Despite how much impact mods have on improving websites, we don’t really have a shared layer of trust, analytics, or collaboration with the websites we’re extending.
That’s what inspired me to start working on a thing called ModHub: a potentially new platform designed to make browser mods safer, verifiable, and better connected to the web itself.
What is ModHub?
Think of it like the Steam Workshop for browser mods or an App Store for userscripts, but with a focus on trust and transparency between:
* Users --> who want safe, auto-updating mods.
* Developers --> who want recognition, analytics, and protection for their work.
* Websites --> who want to collaborate with verified mods instead of fearing or banning them.
How it works (conceptually)
* Mods register with ModHub and get a verified ID + hash (like a signature).
* A browser extension acts as a secure bridge that knows which script is running.
* When a mod sends data (for example, to a third-party site), it goes through ModHub’s servers first, adding metadata like:
which mod sent it, which domain it came from, and whether it’s a verified (registered) ModHub mod and to see if a script has been unmodified.
* Websites can then choose to trust only verified ModHub mods, similar to how CORS or OAuth scopes work.
Why this matters
Right now, mods that send data to third party website just sees traffic coming from domains like “youtube.com,” and there’s no way to tell which mod actually made that request. ModHub fixes that by becoming a trusted middle layer, a universal identity and permission system for mods.
What it could mean for you all:
* No more fakes or unsafe clones of popular scripts.
* Developers get usage analytics and visibility.
* Sites can safely whitelist trusted mods instead of banning them.
Why I’m sharing this here
I know many of you are experienced script authors and maintainers, you’ve seen how decentralized and fragile the current ecosystem can be. I’d love to hear any feedback from you all:
* What you think about introducing a verification + relay system like this?
* What problems or pushback you’d foresee?
* How you think something like ModHub could integrate with existing tools like Tampermonkey, Violentmonkey, or GreasyFork itself?
This isn’t a product announcement (it’s still early exploration) but I’d really value your feedback before building the first prototype.
Thanks for reading!