Will It Vibe logoWill It Vibe?
SHELL-004High severity-15 points

Remote script piped straight into a shell

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 15 points from that category, once per scan, no matter how many places it turns up.

What it detects

curl/wget output piped directly into bash/sh (or bash <(curl ...)) executes whatever the remote server returns at that moment, with no integrity check and no chance to review it first. A compromised server, a MITM on a plain HTTP fetch, or a supply-chain attack on the install script all lead straight to code execution on this machine.

Why it matters

Piping curl or wget output straight into bash/sh executes whatever the remote server sends back at that exact moment, with no chance to review it and no integrity check. If the server is compromised, the download is intercepted over plain HTTP, or the install script itself is later modified upstream, the machine runs that code with whatever privileges the script has, often as root during setup.

How to fix it

Download to a file first, verify it (a published checksum or GPG signature, or at minimum a manual read for anything unfamiliar), and only then execute it: curl -fsSL URL -o install.sh && sha256sum -c install.sh.sha256 && bash install.sh. Prefer installing from your distro's package manager or a pinned, checksummed release artifact over a vendor "curl | bash" one-liner wherever one exists.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks