How would that work. To me the blockchain checker looks like it would do the job.
Start a bounty for MyWallet injection exploit (5BTC to be worth the while).
Exploit description:
The content script used by My Wallet checker runs in document_idle state, when script tags of document are already executing.
if it used run_at: document_end, it would have chance to catch remote script tag, but not inline javascript.
if it used run_at: document_start, there is not even DOM constructed, so you have nothing to inspect, though you might have chance to hook early and check DOM as it loads. Unsure if possible to attain reliability here, but certainly not done by the checker now.
In short, checking the DOM after it is loaded is harder than naive implementation, because once it loads, code contained there can modify itself (simply setTimeout and remove the script tag).
Note that this is only one of MyWallet's unbacked claims of security, there are much more :)