Hi @mrenato, thanks for your query to us on this.
Wordfence is only able to verify with 100% reliability whether a plugin has been compromised, such as having additional unwanted code inserted by an attacker, by checking against the official www.remarpro.com repository. If your plugin content tallies with the approved code within the repository, Wordfence knows no tampering has taken place.
This does not mean that you cannot use Wordfence with plugins from a site like Elgato, but Wordfence will not be able to check the code for validity in the same way so places more responsibility the developer to ensure security holes are patched and you to ensure the plugin is kept up-to-date.
Nulled plugins can also be inadvertently obtained from external sites, so for more details about the dangers of nulled themes and plugins, please read this blog post which details the reason why we think this is bad idea: https://www.wordfence.com/blog/2019/11/wp-vcd-the-malware-you-install-on-your-own-sites/
Thanks,
Peter.