I guess the major thing is opening up the code to review it in an editor of choice and then having an LSP server running the build scripts automatically without you realizing it.

Reviewing code that you don't trust seems to be a pretty logical thing, and most people probably wouldn't expect that opening the code up in their favorite editor could cause their system to be harmed!

Many editors now prompt if you trust the code base on opening (VSCode, JetBrains products). If you really care you can open it in a sandbox?