An extension that allows a player to abuse GM-only priveleges doesn't sound like something you want in your game. Whether or not the player has ill intent, the extension sounds like it has the capability to mess up the campaign. What functionality is the player actually using it for? Never mind, figured it out. It's the macro importer/exporter attached to VTTES. I just had a play with it, it exports a .json of all selected macros and has a "visibleto": "-M-EUV4cgUr-9n1XykzX" field for each macro. If this is set to "all" and imported by a player, the macros show up in the GM list (and everyone else's, presumably) and cannot be edited. This isn't ideal behaviour. I don't use Github myself, not sure if anyone feels like doing the deed of reporting the issue to the creator (unless they lurk about here under a different name?). I'm assuming this isn't intended behaviour, the extension seems to have plenty of other GM-only features, so presumably a GM check on a macro import isn't terribly difficult. Obviously this isn't Roll20's problem, but that doesn't mean it won't pop up again in these forums... after all, the person affected isn't even using the extension.