cSploit downloads 3rd party "core" -- can find no information about this!

Upon installing and running cSploit (org.csploit.android), I am told:

Core version 1.0.11 is available, do you want to upgrade?

Then, when selecting "Yes", the download of core.tar.xz begins.

I have no idea what is being downloaded here. A quick check on the gateway would appear to show it coming from github; i.e., a 3rd-party source, outside of the control of f-droid. The cSpoit page in the repo does not mention this behaviour, nor does the wiki page.

It seems to me that what is going on here is inherently unsafe. Unless I am mistaken (and I hope that I am), it seems that an f-droid app, upon first execution, downloads 3rd-party content which may contain executable code, and it may execute it.

I was not under the impression that this was permissible. In particular, that an app

• could, as a prerequisite of its operation, download, install and/or execute 3rd-party content,
• could offer to upgrade from a 3rd party source

At the very least, there should be some mention of this on the app page, along with an explanation as to why -- if it is -- this behaviour is acceptable from the point-of-view of security and trust.

If I have misunderstood the situation, then I apologise for the noise.