Hi, author here. You are right, the password is generated on the fly using URL, unique seed and provided passphrase. The extension javascript is sandboxed from the webpage, so it is not possible to obtain the inputs to the PBKDFunction from the context of website.

I have coded this for myself and using it more than 2 years. The only problems are with some dynamically created login forms, like new reddit login.