Working at a cybersecurity *aaS company has both made me paranoid about 3rd party code that I pull and also made me realize that at some point paranoia is paralyzing and some amount of risk is necessary.

Bad idea? Likely.

Worth the squeeze? YMMV.

The bad idea in this scheme is to not take a look at what the code does, considering these are open-source packages.

I agree, but that's not sufficient in an open source software supply chain. You also need to inspect the dependencies and you need to do this every time you pull any new versions.

Sharing your username and password is considered "high security" nowadays whereas merely "standard security" would be installing a root kit or running shell code each time you want to install something.