Although such threats are not common, but a developer can create a malicious Visual Studio code snippet in three different ways. The first is of course writing the malicious code straight into the snippet's code element. This could be avoided by reading the code.
The second way is referencing a script in the HelpURL element. This element contains an URL that will be displayed using Internet Explorer. So if IE has all the security updates installed, this element is quite safe.
The third security threat is adding a reference and calling a malicious function in it. If the referenced library is not open source, the only way to avoid this threat is by making sure that it was downloaded from a trusted site.