Lots of tool labs tools are of varying quality. It is highly like that many of them have XSS vulnrabilities. I think it might be prudent to give each one a separate domain (So instead of tools.wmflabs.org/tool-name do tool-name.tools.wmflabs.org). This would make it much more difficult to steal cookies, etc from other tools, if someone got an xss (Of course this doesn't eliminate everything (see e.g. https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-zheng.pdf but it does make exploiting that sort of thing that much harder. )
I have no idea how difficult a thing this would be to do