Ah, yes, nothing like running an unaudited application as root for security! Especially love the part where the developer signs with a 1024-bit DSA key and then uses ssh as root to deploy to a public webserver the sparkle updates:
I haven't reviewed obj-c code in over a decade, but I do know anything running with root authorization needs to be scrutinized carefully. And seeing blocks of code copy-pasted from stackoverflow, references to a 10 year old operating system, use of SIGKILL instead of the proper SIGTERM, for example, does not exactly inspire the necessary confidence.
Sloth author here. To clarify, Sloth does not run with or require root privileges. However, it allows you to (optionally) run lsof itself with root privileges via Apple's Authorization framework. The application is Developer ID signed, but not notarized by Apple (which is a PITA). I guess it's "unaudited", but the source code is right there for anyone to view, analyze and build from scratch.
Also, I'd be curious to know what "blocks of code copy-pasted from stackoverflow" you found. As far as I know, I wrote all of Sloth myself, starting 19 years ago. As for references to "Mac OS X" in code comments, that seems rather pedantic given that this is very old code and Apple keeps changing the name of their operating system: Mac OS X -> OS X -> macOS.
That being said, thank you for identifying the appcast deployment script, which shouldn't have been in version control to begin with.
> scp SlothAppcast.xml root@sveinbjorn.org:/www/sveinbjorn/html/files/appcasts/SlothAppcast.xml
The references to "Mac OS X" (now over 10 years old) are the cherry on top.