How to I know this isn't a honeypot? To build something like this, I'd build it against something people already trust. Since here everything is new, it's difficult to want to paste anything into it.
I totally understand that concern, and I'm pretty security conscious too my self. A few things, you can check the console and network logs while you're interacting with the application. You'll see we Retriever doesn't send anything to a server. If that's not convincing, you can also run your own instance of it and see it doesn't send anything.
