[jleehey]

Why does this matter? You'll need to get the code somehow, and once its on your machine, it doesn't make any requests. You can take a look at the code to find out if its malicious or not.

[bitJericho]

How on Earth would you be able to (easily) tell if the scripts loaded into memory are the scripts at the legitimate URL location? Eg:

    <script type="text/javascript" src="/js/lib/bitcoinjs-min.js"></script>
    <script type="text/javascript" src="/js/lib/jquery-2.1.0.min.js"></script>
    <script data-main="/js/main" src="/js/lib/require.min.js"></script>

[jccooper]

You can still verify that it's not communicating. Browser (and/or OS tools) will show that easily.

What you can't verify easily (without inspecting the source through your browser) is that the keys its giving you are brand new. Figuring that's a bit more involved--and you'd have to do that every time you load the page. Which really kills the ease of using a website.