Can websites detect use of simple Tampermonkey scripts?

Question

Out of curiosity and not being able to find a clear answer, I was wondering. Are websites able to detect use of Tampermonkey user-scripts? If so, is it any script or only if it has specific functionalities? Would a simple script like the following be detectable by a website?

(function() {
  var randomizer = Math.floor(Math.random() * 241) + 20; //Gets a random number between 0 and 240, then adds 20
  //console.log(randomizer);
  setTimeout(function(){ location.reload(); }, randomizer*1000); 
})();

Answer 1

tl;dr - no

The browser, nor the Tampermonkey plugin do not advertise the presence of userscripts. That is there isn't a straightforward way to just write if(tampermonkeyActive) and detect it.

However, webpage may implement anti-tampering techniques. These may not be directed at Tampermonkey, but any type of suspicious behaviour. This may include:

• Suspicious amount of activity per unit of time per user
• Activity when the webpage is not in focus
• Unexpected global variables or function calls
• Checking isTrusted on events.

Of all these, I have only experienced the first example, that is logging activity server-side and manually reviewing it. Thus if you're trying to automate something and the site owner is not keen on it, you should consider making it look human-like.

Security

Tampermonkey script already runs in wrapped scope, so the self-invoking function is redundant.

Detecting a userscript can be something a malicious actor might want to do. If you use @grant to get any of the special features of tampermonkey, and also use @grant unsafeWindow, leaking any of the functions could allow actor that detects that to hack your browser. It would take a lot of effort though - they need to detect the userscript, then manually hack it, since every userscript is different.