So as a rule of thumb extensions poses as much security risk as browsing to Facebook.com, Google.com or any random web page on the web.
Extensions are client side technology, meaning it will execute within the sandbox that is the users browser, so it can't access anything on the server or outside the normal resources a browser can access on the local machine.
The potential risk you are running is that a extension could intercept the data from a app and then pipe that to a third party server somewhere. So I would scan for any outgoing connections such as xmlhttprequest, websockets etc
The Qlik cookies available to steal won't reveal anything special to the attacker apart from a session id which you can lock down with extended security in your virtual proxy.