Worrying too much about security on plugins is putting the horse a couple of miles before the cart... Most power users have what, 5-10 plugins installed? A simple attractive way to manage/update these is more pressing... I mean, I've apt-getted 100's of times, installed a plethora of XBMC Addons, and I can't even begin to count the number of Rubygems I've used - and I've never had a problem with security. When I find a gem that's broken for some reason, I can usually find it on Github and fix it...
Dependencies and a standard packaging format are the problems we need to solve, not adding extra layers of virtualization or worrying about if someone makes a plugin recommending Drobo...
I think aitch's unto something with a DSL and semvar versioning,