How does one check the security of a Wordpress add-on?

Sharing answers as I see them from that dev community:
https://sucuri.net/webinars/how-to-know-for-sure-you-can-trust-a-plugin/
tl;dw: without a full code audit you can't know for certain. Most people just base it on reputation (lot of downloads, frequent updates, etc) Subscribing to blogs/alerts from companies like Sucuri can at least alert you when there's a new/popular vulnerability in a plugin.

Pantheon and WP Engine both maintain lists of plugins they wont run on their system due to various issues
A tool that could be used to review the code directly:https://github.com/Automattic/VIP-Coding-Standards

Yeah the research is pretty time consuming. I'd say if you can, subscribe to something that will let you know when an add-on is compromised (i think wordpress themselves have a blog dedicated to this), and figure out what you need to do to get them all to automatically update (by default, it's manual. I think we have a plugin that updates our plugins, honestly)

same. trying to get off of wordpress unless it's maintained by php/wordpress developer actively.