Well, the safest way: Download the source code, study it and compile it yourself.
If that is not an option for you (which I assume), either use an older version (
https://autohotkey.com/download/1.1/) or believe in AHK. Of course, a hack can never 100 % ruled out - but that is true for every application and every website - but then old versions could also be affected. We have had false positives for nearly every version - in the end, they were all ok.
I just compared the exe-installer from just now (look above) with the one I downloaded and used since 4 weeks ago (atm 4 positives) - shortly after version 1.1.28 came out. It still creates the same hash on VirusTotal and hasn't shown suspicious behaviour in this time - it was also ok with my virus scanner.
But in the end - it is your decision. Just use common sense and an up-to-date system (and don't download AHK from dubious sources).