One option that might do something to ensure trust would be to have the javascript on the page that accepts the credentials be unminified and readable.
Or provide a self-hosting option; JavaScript can be changed at any moment. Request A might look fine, but request B for the same file 5 minutes later could be malicious.
I think that'd be the best way to go. Or, half-way between hosted and self-hosted: in exchange for payment, provide a button that lets them launch a CuttlePhish instance on Heroku. (I'm not sure if this can be automated to the point that regular non-developers would understand it, though.)