[Arch-TK]

Yes, pass is 800 lines of relatively straightforward bash and I am qualified to review bash. Now, granted, it uses GnuPG and git but in those cases I think the risk of problems is minimal.

I haven’t in all honesty read the Password Store android application (nor OpenKeychain) source code but I trust my phone sandbox capabilities enough for it not to do anything nefarious like send my passwords somewhere. Its also not so large that it would be hard to read it.

The point is, the operating principles behind how Pass works are simple enough that its relatively easy to verify the core of any implentation and relatively difficult to smuggle in nefarious behavior.