Installing npm modules seems similar as far as the risks go? The assumption is that you have a semi-trusted source of good libraries that's at least somewhat resistant to supply-chain attacks. A similar thing could in theory be done for well-known skills, but it requires a community norm of not releasing crap.

So it seems like the question is how do you build something worthy of people's trust?