Because it installs based on what you type, if you accidentally type something like `expres`, which has some kind of vulnerability or is malicious, you won't have time to notice the typo before it installs it. It could happen when doing it manually, but it's less likely because it doesn't install based on looking at your code but based on your `npm install` command.
I'm not buying the argument. I often hit [npm install] 20 times a day, and sometimes you get distracted, or just sloppy at the end of a long week. A nice feature of this, is in vim I'd have a dict of common modules, and then have the autocomplete autocomplete their names for me. That way you get in a routine where if the library isn't in the autocomplete, you need to take a second and think about it. So nothing wrong with the tool, it's just a tool. Use a flamethrower carelessly, you're going to have a bad time.