If your time is worthless, Windows can - and always could - be free. But if your time is worth something, it's better to shell out that $$$, and also be legally and morally on the safe side.
1. If you use a custom KMS server like that, I don't know what they can do to you. Maybe a KMS server can send arbitrary commands to a client by design? I don't know. Even if it can't, there could be a bug like a buffer overflow in the KMS client that might allow the server to execute code on your client machine. Since you are only supposed to connect your client to Microsoft's KMS server (I don't believe other alternative and supported implementations of the server exist), maybe the client is not as battle-tested and hardened as it should.
2. Installing kmspico requires admin access to your machine. What kmspico does is that it installs a local KMS server which works the same way the remote KMS server I've suggested to use does: it activates everything you throw at it. But as I said it needs admin access to your machine, and it's up to you whether you trust kmspico or not.