As with anything you download over the internet, there could be malicious stuff when you download anything, some antivirus quickscan keep novices happy, most do automatically nowadays as people use the files.
When you do compile it and run it, well, it is assumed you KNOW what the program is when you compile you will have all the source code for it to compile. If the program is communicating with the internet through a backdoor, the backdoor should be pretty elaborate and is often not some simple 1 line of code (If the program is using any 3rd party linked libraries, checkout the libraries themselves)…..security concern can go on and on.
but in the end, if you trust the dev who are working on the tree, download and run it. GitHub has pretty secure end-to-end transmission, and you can check the integrity of the repo with checksums to virtually eliminate the man-in-the-middle stuff.