Plugins can be made and published by anyone, and due to the nature of the app, they have access to anything on your system.

npm (the registry) has mechanisms to detect, report, and get rid of malware, but nothing is 100%, so you should exercise caution, and try installing only plugins you can trust.

Official Drovp plugins are marked with the icon.

Signs of a shady plugin: low quality readme, published very recently by a new npm account, no installs, no source code available ...