How so? I would think it puts its files in a publicly accessible path. That means if it puts executable code there (python,php,js whatever)
in a future release it allows for a server-takeover.
Aside from pre/postinstall scripts, I imagine the SVG and/or CSS files gets copied into a folder of static assets.
Depending on how that's done - manual import or part of a build step; specifying file extensions or not; how assets are served, etc. - that could be "vulnerable to code coming downstream".
