> see if it's on download.com...this can only prove that it isn't malware
Proof? Dude, what do you think the download.com guys do?
They get given a binary, they run some black box testing on the output of it, then shrug their shoulders and say "looks okay".
The closest you can get to "proof" is if the source code is online as free software, there are developers that don't work for the same company, and there are plenty of users. In those situations, malware tends to be found and removed.
Failing that, the simplest criteria is just that it be free software. That doesn't guarantee anything, but there are almost no cases of free software containing malware. ...or maybe you meant that being on download.com is just a proof that the software isn't *too* bad.