That’s an excellent point, and thank you for raising it. You are 100% correct—relying on users to inspect a URL that could be spoofed with User-Agent trickery is a flaw in the original recommendation. It's a classic threat model that I should have addressed from the start.
Thanks to your feedback, I've just merged a PR to change the recommended installation method in the documentation to the only truly safe one: a two-step "download, then execute the local file" process. This ensures the code a user inspects is the exact same code they run.
I sincerely appreciate you taking the time to share your expertise and hold the project to a higher standard. This is what makes a community great.
Thanks to your feedback, I've just merged a PR to change the recommended installation method in the documentation to the only truly safe one: a two-step "download, then execute the local file" process. This ensures the code a user inspects is the exact same code they run.
I sincerely appreciate you taking the time to share your expertise and hold the project to a higher standard. This is what makes a community great.