Malware can search for it because the data has the same rights as you. Instead of stealing, it'll just post spam from your account. At least that's how I'd exploit it.
AFAIK only the PW is local, and signing is done via conjunction of the server key and PW. I think changing your PW would shut-off compromised browsers.
But if the attacker has the wherewithal to export the private key from within the account, you're out-of-luck for that address.
