Security

Grey Tab connects to salesforce by reading your existing session id from chrome's cookie cache, and then opening a connection to salesforce via the AJAX toolkit (a javascript-based implementation of the Partner SOAP API).

What does that mean? It means that Grey Tab "piggybacks" on your existing session with salesforce, rather than creating it's own. This is in contrast to applications like data loader that need your username and password to generate their own session.

By using your existing session id, Grey Tab never has access to your salesforce password. When you log out or your session expires due to inactivity Grey Tab's access to your org will expire as well. Unlike oAuth there is no lasting access token that you will need to revoke.

As Grey Tab uses the standard Salesforce APIs it does not enable you to perform actions that would be unavailable to other applications.

You cannot use Grey Tab to violate sharing, CRUD, or FLS, or other security as the underlying query call it uses always enforces them for the running user's permissions. This means that fields you have no access to won't show up at all in the record details pane for example.