Did you know Athom doesn’t review the code of community apps? There’s a hidden route (that’s not visible to regular users) in the Homey Developer Tools, which is the page they use for reviewing apps. I couldn’t see anything other than the app manifest there. So I think if someone would really have bad intentions, they would just build an app for something many users asked for. That would be far more effective for attackers than trying to get users to add a malicious OAuth app
Edit: something similar has actually happened before (while that was about spamming the timeline):
