I mucked with this a while back. You can dump all your passwords over the websocket pretty easily (provided your 1password is unlocked):

https://gist.github.com/joevennix/438782cbe447e86f2506

It would be more interesting if an arbitrary website could do this, but they prevent that attack by checking the Origin header on the initial websocket request.