You should always do your due diligence when adding a new package to your codebase, at the end of the day it is 3rd party code.

I think your main worry is your credentials being exposed. This package in particular seems to be popular enough to be battle tested and trusted by a good chunk of the community.

I think you'll be fine. Just remember to keep your credentials a secret and that means not adding them to version control. Use env variables or any of the other methods listed here to set your credentials.