There are several different ways to trigger a macro (probably more, but I'll leave it at these for this discussion).
- kmtrigger: URL scheme.
- AppleScript do script (including from other scripting languages).
- A Trigger File.
- Public Web trigger.
- Remote trigger.
They differ in a variety of ways, including security and remoteness.
The first three basically work only on your local Mac, and if you are triggering a macro from your local Mac, they are the ones to use. Which one depends on what you are doing on your Mac to induce it to be triggered. These have minimal security issues, since anything that can open files on your Mac, run AppleScript, or fire off URLs can almost certainly do a lot worse than running a macro.
The Public Web trigger works only if Keyboard Maestro’s built in web server is enabled, and for most people will work only within your local network, since almost everyone these days uses Network Address Translation and so you cannot access your Mac from outside your environment. Unless you don't have NAT (very rare), or you use a VPN or explicitly set up port forwarding, chances are you Mac cannot be executed from outside your own network. Thus these triggers are relatively secure, but can be accessed from elsewhere in your network (such as from your phone when you are also on your local network) or other Macs on your local network. Thus if you want access from elsewhere on your local network, this may well be the correct choice for triggering a macro.
The Remote Trigger works from anywhere on the Internet. It works via a http://trigger.keyboardmaestro.com/, which is a server that Stairways runs, and so Keyboard Maestro keeps a connection to the Stairways server, waiting for a trigger to come in, and you trigger it by accessing the Stairways server. These macros can thus be triggered from anywhere, so they have significant security implications. This is fine as long as your macro is relatively innocuous - for example I use it for displaying alerts if one of my systems goes down. If someone managed to trigger this macro the worst that happens is I get spurious alerts.
In theory, you can only trigger the macro if you know both the magic numbers in the trigger URL, which by default are UUIDs, so they have lots of random bits making them essentially impossible to guess. One is specific to your Mac, and one is specific to the trigger. Unless there is a need, you should use the random ones that Keyboard Maestro makes. However it is valid to have semi-public or public triggers, and multiple instances of Keyboard Maestro can have the same trigger, in which case all the different Keyboard Maestro’s with that trigger would execute the macro. For example, say you wanted multiple people to be alerted when some tickets go on sale, you could have single well known trigger value and anyone could trigger it all the Macs would be alerted. More likely you would use this in semi-public cases, say a macro for a bunch of Macs in a lab to tell them all to shut down.
In practice, if the Keyboard Maestro server was compromised, then any of the triggered macros could be triggered, so there remains additional risk on top of the secret trigger number being discovered. So it is a good idea to ensure the macros are innocuous.