...
I wonder if this script can send a withdrawal request or change the withdrawal address though. Since it has an access to the client side, it can do whatever it wants. (From your side)
Yes, it can do both. An unauthorised withdrawal was initiated on my account. And it was able to bypass my profile address.