These values are used in an eval() to create a new global variable:

eval("var " + emailUrlVarName + "
    = 'https://mail.google.com/mail?view=cm&tf=0"
    + (emailTo ... );

As there is no intermediate filtering step, injecting code into this eval is rather simple:

<a mailto="me@th)';your_js_code_here;//>name</a>

If a Firefox with the according userscript installed displays a webpage that contains such a mailto-link, the browser executes the injected JavaScript in the domain of the displayed webpage. Therefore the Greasemonkey-script creates a XSS-problem in all web applications that allow users to create arbitrary mailto-links (as e.g. the default installation of Wordpress does). Go here for a demo. Furthermore, these scripts are executed in the Greasemonkey domain, thus are allowed additional privileges like cross-domain XMLHttpRequests.

I don't consider this issue to be grave or critical. I don't expect the install-base of this particular userscript to be big enough to actually cause any exploitation. Nonetheless I think it is a good example how browser add-ons can create XSS-problems in web apps that are secure themselves.