The default installation of slide allows any logged-in user to view the passwords of all users by examining the properties of /users/xxx. I think someone needs to go through the initial data set of Slide and make sure it's more secure, setting the minimal permissions on each folder for the product to work. I know it's just a sample but showing the password in this way is still bad - some people might use the initial data set to build their own structure on.
Also in the default Domail.xml, write-acl, implied by write, is given to everybody in the /files collection. Even though read-acl is given to the owner only, anybody can still change the acls of any object in the /files collection.