I stopped trusting curl | sh — so I built a tool that reads the script first (opens in new tab)

Every developer has done it. You hit a README, you see the install command: curl -fsSL | sh And you run it. Maybe you skim the script first. Maybe you don't. But you run it. I've been doing this for years. And each time, a small voice in the back of my head says: you have no idea what that script actually does. You just piped a stranger's code straight into your shell. Eventually I got tired of ignoring that voice. What the pattern actually is curl | sh is not a bad pattern — it's a fast, con...