This plugin does not need password so we are fine here.
Regarding your request of not requiring passwords, this would be a BAD thing.
Indeed, some plugins may require your password to transfer funds/assets, etc.. on your behalf.
Now what would be nice is to have a mode where you allow all plugins but 'block' somehow the API calls requiring a password.
I am not even sure if that would help as today, they would ask for your password anyway.
I think the ONLY good options are:
1- get plugins from known and trusted sources.... I guess it won´t take long until ppl come up with bad plugin or provide modified copies of legit plugins
2- check the code yourself if you can...a quick look thru could already tell you a lot
3- share your discoveries/doubts, ask the authors and see how they react... the author of a malicious plugin will likely not answer...