Start with where it came from
Prefer the developer’s official site or the Mac App Store. Be cautious with sponsored search results, mirrors and archives that repackage old software.
A familiar filename is not proof of origin. Check the exact domain and whether the publisher documents the current version.
Let macOS make its checks
Gatekeeper verifies downloaded software when you first open it. Do not remove quarantine metadata or bypass the warning just to make an installer run.
A Developer ID signature helps identify the signer and detect changes to signed content. Notarisation means Apple checked a submitted build for known malicious content; it is a valuable signal, not a lifetime guarantee.
Check for disguise and extra components
Confirm that the real file type matches its extension. Double extensions, a script presented as a document and executable content buried in an archive all deserve review.
Installers can add login items, privileged helpers, browser bridges or extensions. The main app window may not show everything that will run later.
When in doubt, stop
Do not upload a confidential file to a public scanning service without understanding its sharing policy. A hash-only reputation check can reduce exposure, but an unknown hash proves neither safety nor danger.
If the app cannot be tied to a trustworthy source and its requested authority is difficult to justify, do not run it on your primary account.