The Google Chrome OS is just the Chrome browser running on a thin OS.  So extensions are like applications installed on other operating systems.  They have much more power than Firefox plugins.  Extensions are not reviewed, just removed when people complain.  Many extensions have cross site scripting vulnerabilities, enabling one extension to read and write information in other tabs.  For example, an extension could inject javascript into the tab for your online banking and have it collect and send your credentials to the attacker.  It could even show you the old figures so that you don’t even know that your all your money was transferred out of your account.

This information is from a session I attended at Black Hat called Hacking Google Chrome OS presented by Matt Johansen and Kyle Osborn of WhiteHat Security.