Many beginners ask, "Is this project reliable?"

I usually check three things first: GitHub, audit reports, and multi-signature upgrades.
Don't be fooled by the words "open source + audited"—I used to think an audit meant it's safe, but later I found out the audit was for a version from half a year ago, and the contract had already been upgraded once... which is basically pointless.

You don't need to understand code to get a general idea from GitHub: whether updates are continuous, if there are issues being raised, whether the team responds, and the most concerning are those sudden waves of commits followed by long periods of silence.
For audit reports, I focus on two points: what scope is covered, and whether the issues found are "fixed" or "accepted risks" (in other words, just left as is).
Upgrading multi-signature is even more critical: how many people sign, whether there's a timelock, and if you can change logic with one click.
Too much centralization in multi-signature = lip service to decentralization, while in practice, they can always move your assets at any time.

Recently, NFT royalties have been a heated topic, which is actually similar to this logic: whether the rules are clearly written, and who has the final switch—whether creator income or secondary liquidity is ultimately decided.
Anyway, when I evaluate a project, I first look at "who can change the rules," which is more reassuring than just listening to the narrative.