I've a question regarding readme excerpt:

Here is an example of how you can use spew.Sdump() to help debug a web application. Please be sure to wrap your output using the html.EscapeString() function for safety reasons. You should also only use this debugging technique in a development environment, never in production.

What does it mean, why it shouldn't be used in production? Why?

Spew requires unsafe (for all features, a safe version can be compiled with -tags safe) and memory/type safety is not guaranteed in all future Go releases. An upgrade to Go could introduce a security flaw in any application using spew.