I use ypool's miner (actually not written by anyone directly connected to ypool).

That said, it isn't actually open source. Therefore, no checking to ensure the code is clean.

(And mainstream enterprise considers open source to be *less* secure.  HAH!)

So who knows at this point in the game?  *shrugs*

(Nice work doing your security diligence, all the same.)