This is a simple matter of which repositories you trust. If you use official repositories, the checksums of their packages are checked against checksums stored on official servers so as long as the hash algorithm is secure, you can be sure that the packages you obtained from mirrors are the ones that the official vendor published. But it's still the question if you trust official repositories.

If you expect any stuff you have installed in the past to not be trustworthy, you must consider your complete system flawed and should attempt any anti-virus or whatever checks from at least a live system.

Summing it up: If you are worried, completely reinstall your system and stick to repositories you trust. Keep in mind that there is malware nowadays which can also infect hardware and thus survive a reinstallation.

For an antivirus, I'd recommend clamav.

Then it is a simple matter to

apt download pkgname && clamav pkgname-ver.sion.number.deb

apt deb pkgname-ver.sion.number.deb

For better security, I can offer no more advice than to

apt source pkgname && cd pkgname-ver.sion.number-src

and then audit the code yourself. Once you are satisfied that the code contains few to no backdoors, you can

apt build-dep pkgname && apt build pkgname && apt deb pkgname*.deb

For more proprietary packages (spotify and chrome to name a couple) you cannot obtain source code, so you must use the clamav method.

You cannot check an entire repository. You can only check each package individually.

For maximum security, however, you must remove these "Extra repos" and stick with what was provided by the distribution.