How secure is passing object to a method?

Hey, how secure is passing objects or arrays to methods?
Can I use check(objParam, Object) or check(arrParam, Array) in the methods?

If a malicious user creates a JS object with custom made prototype, and invokes Meteor.call with that object, can he run malaicious javacript code when the server parse that and access keys or indexes?
Can he overload [] or . operator, so it runs the custom made malicious function in the prototype?

Is it secure enough? Or should I iterate on them and take out values and construct primitive variables and send them to the server,
if not, is there any security tips I should keep in mind when accepting objects from the client Meteor.call?

I’d suggest reading over the Method security section of the Guide. It’s a good idea (actually, I’d say it’s mandatory) to validate all Method input. There are several ways to do so (using check, Simple Schema, etc.), and I’d also recommend taking a look at the mdg:validated-method package.

Also, check Meteor’s documentation for match() method.