How? UTXO has his GitHub in his profile, I can see the Wisp repository and the releases provided. I add the URL and I'm done. I've used my "WoT" to determine what I install.

Both Github users were also on Zapstore and prominently shown. It's much easier to get phished with Obtainium as there is no additional web of trust layer.

All indexed apps on Zapstore, by the way, are pulled from their original location so its exactly the same as Obtainium in that regard