As far as I understand the type providers evaluate the samples at compile time. This means that you have at that point of a time a correct version of the data samples. If at compile time everything is ok there is no security or corruption issue for the runtime.
I also think it won't be a good idea to just pull in arbitrary code (or resources) through http(s) during compilation. I think what you really should do is download the files, review them, add them as resources to your project and use those as input for the type providers.
I also think it won't be a good idea to just pull in arbitrary code (or resources) through http(s) during compilation. I think what you really should do is download the files, review them, add them as resources to your project and use those as input for the type providers.