How worried should I be about getting hacked with PoisonTap?
First the attacker needs to have physical access to the machine in order to plug the device into the USB port. This means any kind of full remote exploit is not possible. It does work though if the computer screen is locked with a password or similar. Note that the physical access does not need to be direct, i.e. it can also be some gullible user plugging a donated USB stick into the system.
Then the device announces itself as a USB ethernet device. This means that the computer will try to add PoisonTap as a network device to the system and get an IP address from it using DHCP. The DHCP response will return an IP address with a /1 subnet so that most IPv4 traffic is sent to the device. From then on the attacker has the same access to the device like a router: in fact the device works as a router for the attacked computer. This means that any traffic can be easily sniffed and modified but that encrypted connections are still protected against decryption and modifications get detected. This means for example that access of gmail over https (the usual way) will not be compromised.
At the end it is just another way for a local attacker. The impact of the attack is comparable to redirecting someone's traffic via ARP or DHCP spoofing, hijacking the local router or a rogue access point. Not more can be done as with these attacks but also nothing less. It looks like that the software comes with some nice attacks which modify unencrypted HTTP connections to access different sites in order to poison the browsers cache with heavily used scripts (like a poisoned google analytics etc). Since many sites include such third party code and such code gets access to the full page a poisoned code can extract lots of useful information. But again, this works only for HTTP not HTTPS.
Is the general population at risk, or only a very specific subset (os,browser?)
Most current systems are at risk but the attacker needs physical access.
What exactly is at risk, your data, your gmail account ...?
Sniffing and modification of unencrypted connections. Gmail usually is encrypted and thus not affected.
Is it something that most people can pull off, or does it depend on specific hardware and a high level of skill?
It needs special hardware and software but the hardware is cheap and the software released. It needs about the same level of experience as attacks like ARP or DHCP spoofing, i.e. script kiddies could do it.
Is there something that one can do easily, without closing all browsers or turning off the pc each time when you walk to a different room to ask a short question. (Is locking it sufficient?)
The usual protections against other USB based attacks still work, i.e. disable USB or restrict the kind of devices. But note that if the device has an ethernet port you could mount a similar attack through this since any kind of wired connections is preferred to wireless by most systems.
The scope of what "PoisonTap" can do is equivalent to what can already be done with a malicious local network or wifi access point you plug in/connect to. In either case, there are all sorts of serious dangers if you're using unencrypted (e.g. plain-http) connections for anything that matters (providing login credentials, browsing sensitive content, downloading executable code or data files that could contain malformed data intended to exploit a bug in the application using them, etc.) but there is negligible risk to encrypted connections. And setting up a fake access point is a much lower risk to the attacker than plugging something into the victim's laptop, so I don't see why a competent attacker would choose the PoisonTap approach.
The attack is only feasible with local access and only on systems that automatically dhcp-enable randomly-connected network hardware. Sadly, the three major OSes do so, but some other ones more concerned with security (such as OpenBSD and friends) do not. One can predict that as a result of this attack, maybe Windows, MacOS and Linux will change their behaviour to favor security over convenience. But only in this one area, until somebody finds another way to exploit their stance in the convenience-over-security tradeoff in a different area.