<script>node. There are a few that work through iframes, and while there are still a few issues with that, the script nodes are the ones that can do you the most damage.
- not try to steal the data our users give us through the website,
- not manipulate our page content in malicious ways,
- not track our user's actions in any ways that we haven't authorised them to do,
- probably more...
Not be too trustingWe don't just trust the widget provider, but also their hosting provider and their DNS registrar. This is a sub-topic under the don't be careless part above, but there may be another entity involved here. Running a whois lookup on the widget provider's hostname will tell you who their DNS registrar is. Do you trust them to not get compromised and have DNS redirected? Does the widget provider use SSL to guarantee that the host you're connecting to is in fact a host they own? Can you trust SSL?
Not go downLet's face it... how many times have you had a twitter (or any other) widget on your page that showed nothing? Perhaps you're being rate limited, perhaps the service is down for maintenance, or something else. That huge blank space where your widget should be looks kinda bad. Not really a security issue, but it hurts your site's image.