~
My guess, they cannot if you encrypt the wallet? Or they can do it even with an encrypted wallet?
i don't think so, if sometime we tried to open our wallet, for example Myetherwallet, when we trying to open our wallet from the site, we must choose (usually) json file or private key, i think they can read the decrypt key from this site and send the code to owner from this extension, like keylogger but with another improvement for read the decrypt key directly from our browser