This is an educational website used to highlight the risks of piping URLs directly to shells without manually inspecting the contents first. Many projects and software offer this as a quick and easy installation method. Just like any other software download, verify the source and legitimacy before you trust it enough to run on your system.
As a best practice, inspect scripts locally (not just in your browser) before executing them so the script you inspect is identical to what is executed.
curl https://raw.gitubusercontent.com/some-cool-project/install | bash
curl -O https://raw.gitubusercontent.com/some-cool-project/installcat -v install
Thank you @lasagne on chaos.social for the awareness of using the -v argument for escape sequences.
Tinfoil hat? A little. But a more devious watering hole and/or typosquatting attack could even dynamically change the content served to you based on what your user agent or other factors. Your preview in the browser displays one thing, curl will retrieve something different. Both URLs identical.
Compare visiting the identical URL in your browser (any random URL for gitubusercontent.com or raw.gitubusercontent.com will work):
https://raw.gitubusercontent.com/some-cool-project/install
with the response in your terminal:
curl https://raw.gitubusercontent.com/some-cool-project/install
or
wget https://raw.gitubusercontent.com/some-cool-project/install
or
Invoke-WebRequest https://raw.gitubusercontent.com/some-cool-project/install
Notice something different? While this proof of concept only utilizes user agents, spoofing your user agent might not be enough depending on the determination of an adversary.
Contact me on Mastodon. Not affiliated with GitHub.