FWIW, I agree that malicious was the wrong word choice here. I would have said potentially dangerous or risky myself. There is a long standing tradition against doing any external calls for any reason. I found myself on the wrong side of it with a module of my own once that used an external URL for a test. Even that fairly innocuous use case was called out by someone and I changed it.