Potential Dashboard widget install/security bug?

While installing the PageOpener widget I just mentioned, I noticed something odd that could possibly be a bug in the widget installation process. I by no means am trying to incite mass hysteria centered around widget security, consider this more food for thought: I'm using the latest version of Safari on OS X 10.4.3, and I have the browser's auto-install option enabled. Once Safari downloaded and unarchived the widget, it gave me a pre-Dashboard dialog asking if I want to install the widget; naturally I chose "install". Now Dashboard kicks in, enables the widget and gives me a second dialog (pictured) inside Dashboard, asking whether I want to delete or keep the widget. Before making a choice, I left Dashboard to check on something, only to come back into Dashboard to find the keep/delete dialog no longer there; the widget was simply enabled and waiting to do my bidding.

Now I am neither a security expert nor an OS X bug-tracking sleuth, but isn't this a little odd? A fellow TUAW blogger, Scott McNulty, thought this could be chalked up to a usability thing, as if "keep" was simply a default option in the dialog that Dashboard choses on exit. But if that's the case, there isn't any feedback in said dialog that one option is a default over another, or if one option is being chosen; no mouse-over, no Aqua-highlight color, no flash or blink once an option is chosen. Even if this isn't quite a security issue, it's at least a shining example of where some aspects of Apple's UI have recently strayed quite far from the Aqua path.

On the note of security however, I know widgets – their capabilities and potential threat – have been discussed quite a lot, but could this odd behavior be a new way that Dashboard is leaving the front door just a little too open? As far as I know, we haven't seen anything truly malicious appear in the months since Tiger's unleashing, so hopefully this is nothing more than a quirk and you can all go on about your business.