Source code alone can never provide proof of non-maliciousness. Reflections on Trusting Trust demonstrated that almost 40 years ago.