I know Homebrew is vetted, but I personally like to always check where this is pulling in its installer file - and it appears to match the domain as is in the Github repo.
You might already know this but you can do that by command line with 'brew cask audit sloth' to see where it's pulling from...I'm paranoid enough too :O
> Check formula for Homebrew coding style violations. This should be run before submitting a new formula. Will exit with a non-zero status if any errors are found, which can be useful for implementing pre-commit hooks. If no formula are provided, all of them are checked.
brew cask install sloth