Roee Hay recently posted a blog post on the Watchfire blog about an XSS bug in the Tamper Data extension (it was posted much earlier, but removed quickly; RSS is fun), however when he assessed the impact he was wrong.
The context of the window is still within the extension, and so by executing the following code you can launch an executable:
var file = Components.classes["@mozilla.org/file/local;1"]
(Code stolen from http://developer.mozilla.org/en/docs/Code_snippets:Running_applications)
But even then; I had never even heard of the Graphing functionality in Tamper Data, and given the need to actually use the functionality on a dodgy page, the chance of anyone getting owned with this seems very small to me.