2. Yes, you need to be careful. Similar to being careful to which commands you paste into your shell, and which .sh files and scripts you run and which packages you install. It won't auto-run anything though. And since everything is plaintext, it should help people to review for malicious intent. Maybe some checking for special characters would be a good feature to add.
3. There's no way to preview. If you don't know what a command will probably do and don't trust the source, you probably shouldn't run it. There is a keyboard shortcut for jumping to the source code though!
4. Yes, you can run as non-root. The current version is a bit out of date, and has a rough install process (the Kickstarter is all about improving that). Currently you need ruby 1.9. I need to fix that soon - it probably won't be hard.
5. Ruby is a pretty decent language for manipulating text, and getting stuff done quickly, so it's a good fit for Xiki. You can make a Xiki command via a .py, .js, or .coffee file though, so you don't need to know ruby to make commands!