[wolfgangK]

How do we know that this extension can be trusted ?

[berkai]

We simply can't, I guess. Not after the original repo is long gone due to DMCA. Therefore, better to mention to do your own due diligence.

[mindslight]

You run it in a VM that you only use for casual web browsing, so the scope of possible damage is limited.

[jhdias]

We read the source code.

[dotancohen]

I suggest looking into the Obfusicated C contest before relying on your own reading of code to verify lack of malicious intent.

[Filligree]

Then it auto-updates.

[rpdillon]

I highly recommend turning off auto updates on browser extensions.

[NinoScript]

Then we blindly trust that someone else is still reading the new version’s code and will raise the alarm if something bad happens.

[blacksmith_tb]

There's no source provided in the repo? It seems to just be a discussion of how to download the xpi from somewhere else.