How to tell if a plugin is secure?

I’m looking at this plugin here and have a few questions: Bubble Plugin Editor - Read JSON and get value by key

  1. Is the entirety of the source code published there? This is running server-side, and I’m told that not all aspects of code are visible when used server-side. In this instance, is the entirety of the code visible under the “Action” block here, or is there more to it that’s hidden?
function(properties, context) {

    let obj = {};
    try{
        obj = JSON.parse(properties.json) || "";
    } catch (err){
        console.error ("error:" + err + "| This is your JSON:  " + properties.json )
    }
    let getValue = function(key){
        if (key.split('.').length > 1){
            let foundObj = obj;
            for (let thisKey of key.split('.')){
                if (typeof foundObj[thisKey] != 'undefined') foundObj = foundObj[thisKey];
                else return null
            }
            return foundObj;
        }
        else{
            return obj[key];
        }
    }
    let val = getValue(properties.key) || "";
    if ( val.constructor === Array ){

        switch (typeof val[0]){
            case 'number':
                return{"number_arr":val}
                break;
            case 'string':
                return{"string_arr":val}
                break;
            case 'boolean':
                return{"boolean_arr":val}
                break;
            case 'object':
                let jsonStringArr = [];
                for (let arrayItem of val){
                    jsonStringArr.push( JSON.stringify(arrayItem));
                }
                return{"json_arr_output":jsonStringArr}
                break;
            default:
                break;
                             }
    }
    else{
        switch (typeof val){
            case 'number':
                return{"number":val}
                break;
            case 'string':
                return{"string":val}
                break;
            case 'boolean':
                return{"boolean":val}
                break;
            case 'object':
                return{"json_string_output":JSON.stringify(val)}
                          }
    }



}
  1. Any “unknown unknowns” I should worry about with using a plugin like this? For example, could it potentially create logs that reveal data to a savvy user, or is it pretty much secure by virtue of it running server-side?

Any help you guys could offer would be really appreciated, thank you so much!

This code snippet is safe to run, but you should also check if this plugin calls any API and/or a JavaScript code stored in another server.

Thanks for your help! No way to tell at face value right? I’d have to install it, then check the Network section of Chrome Dev Tools?