This story is pretty ridiculous. The risks involved with installing packages from a community repository are universal.

The risk is not installing packages, it's that there's no vetting of people (and their code) joining the community, as there is with something like Debian.

Unless you can sandbox them. Which you can't with gems, or admittedly with any other package manager I know of.

Actually, you can with gems. It will happily install to ~/gems or some other place.

IMO you should never install anything you haven't before onto an important system. Install it in vmware, check it out. Mount the drive elsewhere and diff the filesystem and check for problems. You're way more likely to find a simple mistake that could cause your setup problems than a malicious attempt. You get that part for free.