diff --git a/src/pkg/utils/yaml.ts b/src/pkg/utils/yaml.ts
index 474ce7a8c..2e9377701 100644
--- a/src/pkg/utils/yaml.ts
+++ b/src/pkg/utils/yaml.ts
@@ -9,7 +9,7 @@ export function parseUserConfig(code: string): UserConfig | undefined {
   }
 
   const configs = config[1].trim().split(/[-]{3,}/);
-  const ret: UserConfig = {};
+  const ret = Object.create(null) as UserConfig;
 
   const sortSet = new Set<string>();
 
@@ -20,6 +20,12 @@ export function parseUserConfig(code: string): UserConfig | undefined {
     }
     // 验证是否符合分组规范：group -> config -> properties
     for (const [groupKey, groupValue] of Object.entries(obj)) {
+      // Reject keys inherited from Object.prototype (e.g. __proto__, constructor,
+      // valueOf, toString) so untrusted userscript metadata can't pollute lookups.
+      if (Reflect.has(Object.prototype, groupKey)) {
+        throw new Error(`UserConfig key "${groupKey}" is not valid.`);
+      }
+
       if (!groupValue || typeof groupValue !== "object") {
         // 如果分组值不是对象，说明不符合规范
         throw new Error(`UserConfig group "${groupKey}" is not a valid object.`);