Harbour QA does not quarantee application is not malicious. It can't unless they start to require source and review it. That would be too costly even in theory and it would kill the whole Jolla (store).

I hope openrepos will never start requiring source code submission or build on as that would only cause yet another "open repository" to popup. I know there are risks and I know typical consumer does not recognize those risks.