It's a good question to ask.
The bugs are not executable. You can put them in a sandbox and examine what they do. They will show you. You need to have the skills to do this.
Take, for example, the most benign token - The webug. This is a URL. A URL can't be a backdoor; it's just a link.
Take, for example, the word token, This can be a transport for Macro malware. It isn't but you can check using a sandbox. Also If you are concerned about this then place the token in a sandbox to investigate. Also, use https://www.virustotal.com/gui/ on the URL and file to find any known malware. You wont find any.
Another thing to consider. Our canary servers have 1/2 million users. If there was a backdoor, I think someone would have reported it online.