This whole discussion is basically telling everybody again that the AUR is anonymous. There are probably lots of bad guys with packages on the AUR and you dont know it. Knowing this “one guy” is just a good reminder about the overall threat level.
The lesson learned is clear: Check the PKGBUILD before you install anything from the AUR.You do not need to be a programmer to do this. Just check the “source” and the “patches” which are being used to build the package. If you trust the source, then go for it.