Breach of the sandbox?

I was looking for a better screenshot extension than the Simple Screenshot extension I had been using, so I downloaded the Aviary Screen Capture extension from the Chrome Store. Nice, full featured image capture and editing tool.  Then I went to save a screenshot locally, and it brought up the Linux root directory!  I've been trying to use the Cr-48 in its "pure form" to see just how much can be done using only cloud computing (and I've been pleasantly surprised at how much I have been able to do), so I've never switched on the developer switch or tried to force a boot into the Linux (although I knew it was there). This is the first time I've seen the underlying OS directories listed on this machine and they were being displayed by a web app that was supposed to be operating inside the Chrome OS sandbox.  Looks like that extension has broken the Chrome security model. And, if it can do it, what's preventing another extension from doing the same, but not being so blatant about it?  If this extension really has broken the Chrome OS security model, that eliminates one of the primary strengths of the Chrome OS. Part of the reason for giving up the ability to run local apps in Chrome OS is to have a more secure machine. If a Chrome extension can gain root access, might as well dump Chrome OS for Android!