Only install packages from registries you trust is a major requirement of ethpm. You should always trust the owner of a registry before installing (or activating) a package.
It might be a good idea to implement some kind of loose confirmation when you want to install / activate a package....
> ethpm install ethpm://0x123abc/wallet@1.0.0
Installing a package from the registry @ 0x123abc.
The owner of this registry is: 0x456def.
Do you trust this owner? Are you sure you want to install packages from their registry?
Only install packages from registries you trustis a major requirement of ethpm. You should always trust the owner of a registry before installing (or activating) a package.It might be a good idea to implement some kind of loose confirmation when you want to install / activate a package....