Any security checks would be server-side and in the source files; them being in the templates would only mean that it could be removed by the client making it utterly useless [that is, the security hole would be there regardless of the state of the skin]. I realize that there are conditionals which are not public-facing, but again, those would not be the final layer of security. The worst that could happen in that regard, that I can see, is that a form key would be mistyped [which there are a couple cases of in prior versions] causing a particular action to not work. Not quite board-compromising caliber.
There is definitely the potential for bad things to happen through custom skins, particularly if the creator includes their own special PHP for whatever purpose, but for a general skin and especially one of Sherri's, I'm pretty sure that would not be the case.