Welcome to zaptastic. If you are using Safari on Tiger, thanks to the magic of widget autoinstall, combined with the tag, a slightly evil widget has been installed in your dashboard. It could be a lot worse.
With one more line of code, the more evil version that I promised earlier takes you to GreenZap every time the widget is shown. This means that once you install zaptastic evil, every time you launch Dashboard, your web browser goes to the GreenZap site. Which has the side effect of immediately dropping you out of Dashboard, preventing you from closing the offending widget.
Even without root, though, there are some pretty interesting things you could do. A widget, for example, could use time when it is hidden to add <meta> tags to every .html page stored in the users home directory. If the user happens to be running a web server - or even uploading files to one — this could propagate a widget to other machines.