Play projects you trust
Short
Never execute a snippet that was provided by an untrusted source.
Longer
With great power comes great responsibility. CBA provides ability to automate quite a lot of annoying and repetitive tasks, but as in case of any powerful tool the power can be missused. As the CBA is user centric product it's our responsibility to keep our users secure and aware. Most of the actions in the CBA provide only limited access to what can be done, mostly it's about manipulating inputs, but actions like inject, bg-inject and cs-inject are capable of doing not only this, as those gives you access to the full capabilities of automating Chrome browser through code injections.
The most important precaution you should take is to ensure that you trust the code you are executing, never execute a snippet that was provided by an untrusted source.
If you are in control of the actions and using trusted snippets, you don't have to be worried about anything, just enjoy your powerful capabilities and be creative in what you are creating.
At CBA we are not aware of such actions beeing taken previously, but it's our responsibility to inform you in advance to keep our users safe.