Hello ronenhaim,
I am one of the developers of 1Password. It is a good idea to be paranoid when it comes to security.
Let me tell you more about the script.
All applications in the Mac App Store must be sandboxed and the don't have access to your system unless you explicitly grant the access. The ~/Library/Application Scripts folder is one of the ways of explicitly granting the access to sandboxed applications.
If you look at the installed script (~/Library/Application Scripts/2BUA8C4S2C.com.agilebits.onepassword-osx-helper/1Password_Autosubmit.sc pt), it consists of a single line:
tell application "System Events" to keystroke return
Running this script will send a Return key code to the web browser.
Why is this script needed?
The 1Password browser extension fills the username and password values on web pages. After the values are filled, the web form could be submitted. In the past we tried different methods of submitting the form. Unfortunately, none of the options available to the browser extension running in JavaScript is reliable enough. For example, calling form.submit in JavaScript is not working on pages where additional logic is performed when one of the form buttons is clicked.
Sending the Return key to the form turned out to be the most reliable way of submitting the web form and this is what the script does.
I hope this answers your question.
Best regards,
Roustem Karimov
Founder of AgileBits