Yeah, add-ons of various kinds are the biggest security hole in any web browser: even without malicious attacks, just look at the number of security holes in Flash, Adobe PDF and Realplayer plugins. Firefox should really make NoScript part of the browser so there's no reason for most people to even have to think about installing anything else.