The missing lines at the bottom is a bug that got fixed just after this release. The next Secure Shell release won't have the issue.
And your browser size issue goes away if you open the terminal in its own window. Chrome even has an "Open as Window" option (right click on the Secure Shell icon) to open in a window with no browser UI.
The only part about this written in NaCl is the "ssh" command. The terminal emulator portion of it is entirely JS.
The only reason it isn't currently cross-browser is because I don't have enough time in the day to make it work everywhere. I tried not to make it too Webkit specific though. If some brave JS hacker/Firefox user wants to make this cross browser, I'd be happy to help.
The difficulty interrupting something like 'yes' is a known issue. We need to add some flow control to deal with cases where the network overwhelms the UI. This also makes hterm appear slow when cat'ing /usr/share/dict/words, and running aafire. A fix is in the works.
Yes, as you mention, automatic updates are something you already accept with Chrome. It also seems to be the way Firefox is heading. And Android and iOS apps. Anyone is free to build a version locally if they really want to stick with a particular version.
The webstore may require an account, but the source is open. You're welcome to build it yourself. Or, create a throw-away account and download the CRX, then install it in your "real" account.
Of course the current version is buggy, it says that right in the web store description! I've been working on it for a few months now, but it's difficult to get everything right in a terminal without a lot of users. I fixed an issue after the 0.7.9 release that may be what you're describing, but I can't know for sure without more details.
FWIW, as the FAQ says, the terminal emulator and the NaCl SSH client are essentially two codebases. Maybe you could impress people by creating a good-web-citizen version of the SSH command and combine it with hterm.
That would most definitely require an HTML-to-SSH relay in the middle (which hterm supports). Then you'd have to trust that though, at which point you have to decide where you really want your potentially untrustworthy code to live.
The app opts-in to a strict Content Security Policy <http://www.w3.org/TR/CSP/>, which disallows 'eval' entirely. It also severely restricts where and how JS can be loaded with the script tag, setTimeout/setInterval, and event attrbites. It's essentially intended to make sure that only the JS that shipped with the extension can be executed.
There may be undiscovered exploits, of course, but CSP severely reduces the chances.
This app is part of a small whitelist of apps that can make this type of connection. It's a temporary solution though. The Chrome team is working on ways to make the functionality more widely available.
Just got through scouring the pepper 19 docs for any mention for how this was done. Exciting to see this kind of functionality enabled, but apprehensive about chrome apps developing into an android style permission nightmare. Perhaps if the user always had the ability to arbitrarily revoke permissions and block them by default.