Verify Integrity & Authenticity of downloaded plugins
As far as I can see in the current code, plugins downloaded from the server are just saved & loaded by gajim, there is no check whether they match the version on the server unaltered. I suggest to add checksums of all downloaded files, e.g. in the manifest.zip or separately. Use a sha256 checksum to check integrity of them, or gpg signing to also add an integrity check of the source server (as long as the respective key remains secured).