Yes, but the bookmarklet only contains one line of code, which fetches the remainder of the script from your server. So you could possibly replace it at any time with something evil...
Sorry for being paranoid. I very much like your initiative, but people are going to ask questions about these sort of things.
yea, I understand the concern, that is partially why I linked the source to my own github account (adds some accountability) and left everything uncompressed and commented. Unfortunately, it isn't possible to put the entire source into the bookmarklet itself due to browser length-limitations, so the remainder of the code will always need to be loaded separately.
Shame there isn't a way (in HTML) to say "the src of this <script> is at http://.... and it's SHA512 is a5872... or it's signed by GPG key 0x1276e...". That would solve that problem.
Sorry for being paranoid. I very much like your initiative, but people are going to ask questions about these sort of things.