Both gadget systems have scope for the user to actually create malicious behaviour. DesktopX sits on windows scripting languages so whatever you can do in vbScript can be done, and vbScript can do some scary stuff.
Usually, the things which are troublesome are when remote attacks are possible. Remote attacks mean they can use some sort of 'open' interface to send commands to your system via a vulnerability in the software running on your system.
e.g. a webpage with some code, might be able to trigger a gadget, which executes a command, but is able to have the attackers command attached to it from the webpage code, resulting in them being able to execute any command they like - essentially piggy backing on the gadget system.
Whether DesktopX has an identified exploit like this I'm not sure. Maybe Stardock will have a view point to share.
It's in the same vain as disabling scripting on websites - because again, they could potentially do bad things.
Or maybe Microsoft just don't want a gadget system to conflict with future 'app store' plans they have, and are helping the demise of gadget software with scare mongering...hmmm
DesktopX doesn't sit around with open ports or a remote command interface (I think) and doesn't have an automation interface outside of it's own scripting - so I'm inclined to say it's probably as safe as any other thing you have on your computer, just use common sense, it's an executable, even if the gadget itself isn't malicious with what it's programmed to do, it may have a virus attached anyway from the source system!
Christ, I need to learn how to make shorter posts.
