Regardless of your threat model, you can read the code and see how it works. It's short and easy to understand. It doesn't send anything more than the first 5 characters of the SHA1 hash.
Sure but that leaks some information about your password. SHA-1 hashes are significantly quicker to compute than a password hash (and rainbow tables exist making it even faster). So the first five characters can be used to narrow the search space.
This is however not likely a real problem unless your threat model includes targeted attacks.
This is however not likely a real problem unless your threat model includes targeted attacks.