I like Bruce. I trust Bruce. However, as far as I can tell, this is a black box. There is no documentation on formats, protocols, and similar. I have no reason to trust the security of this system. The closest I could come would be to read the source code.
Sorry, should have mentioned a bit about that. The Password Safe format is public, open, and available here [1]. There's also plenty of code/libraries you can use to write your own clients, e.g. Javascript [2], Java [3], Python [4]. For what it's worth the core data encryption is done using the Twofish cipher. Hope that helps.
That both does and doesn't help. There is the format, which looks sensible. There are the protocols around it, key generation, salt generation, overall design, etc. which are not.
What actually scares me about the design is if my machine is compromised, an attacker can grab my Password Safe file (plus keylogs or whatever) and has access to all of my passwords. The design seems not very robust at a designs+protocols level.
(In contrast, right now, if a machine is compromised, it only compromises the passwords I've used from that machine).
