Other than that - pretty kewl! Is the code open source?
Let me start by saying that the notion that XSS can only be used to harvest cookies is a very common misconception.
The truth is that, with XSS, any action a user may do on the vulnerable site (that doesn't require a password) can be mimicked.
Edit/Note: This does mean that any site could force visitors to participate in a DDoS attack. What prevents this from becoming common is the number of visitors required for a DDoS attack to succeed.
This would probably not work on this site because the number of users is only ~6000. I don't know how many users would actually be required to dent a typical site. I do know that "Anonymous" recently used a client side DDoS tool on a large number of users.