Sure, I can verify that things aren't being sent in plaintext, and I can verify that they're using sjcl, but I can't verify most of the other things I mentioned. How do I know they're using sjcl right and not introducing some vulnerability (yes, I know I can dig through their JavaScript, but that's a plain in the ass)? I'm not saying I think they've got any problems; I'm just saying, be careful.
These sorts of tools, while convenient, are dangerous without a proper understanding of what you're doing. User beware.
These sorts of tools, while convenient, are dangerous without a proper understanding of what you're doing. User beware.