That was my first assumption too, but Wireshark doesn't show anything going across the network as I type, and nothing that looks incriminating when I click "donate" with text in the password box. It looks like it's entirely client-side JavaScript as it claims to be. Kind of disappointing, actually.

edit: ...Unless it's clever enough to only be evil some fraction of the time. I didn't actually check through the code.