User blog comment:Rappy 4187/Tools For Making JavaScript Review Even Easier/@comment-5558012-20160714170557/@comment-24473195-20160714182140

> Do they pose a security threat?

It actually does. It is trivial put  a configuration option to inject javascript, but as long as the original function in the script cleans up the imported configuration, and that script is actually reviewed, then it shouldn't cause a problem.