The URLs in the linked repo.json should be constrained to a revision in the upstream repos.

[pbsds]

Merging a link to a repo.json here is equivalent to fully trusting of the author with write access to that repo.json endpoint. The github URLs should be contrained to a specific revision/release tag of the upstream repo, and the downloaded artifact should be constrained and verified with a hash.

[zyedidia]

Thanks for the valid concern. I have updated the plugin listing and update process so that plugin authors cannot arbitrarily modify the versions or zip files downloaded. Now plugin updates must be approved via a PR to this repository, and the plugin zip files can only be changed with write access to this repository (they are now hosted in this repository's releases instead of allowing plugin maintainers to host their own versions that are directly downloaded by micro -plugin install).

Of course users can still manually install whatever plugins they want, and even host their own custom plugin channels.