TLS wouldn't help; the greatest risk is the author himself sending a malicious script (no offense, Sergii).
So everyone needs to check the script before running it anyway. Which is easy, because it's a very short script.
(Of course, it's so short that it might as well have been an alias or, even better, just a copy-pasteable git command, but I guess the author really wanted to call it 'git punish'.)
How is this any different than any app/executable/script period? When you download VLC did you read all the code to check it's not installing a root kit? When you added some python lib do you go through all the code and make sure that on the 20th run it doesn't upload your private ssh keys? Have you checked all the vim or emacs code in your latest download before running it? Maybe I'm missing the issue but they all seem about the same level of bad.
So everyone needs to check the script before running it anyway. Which is easy, because it's a very short script.
(Of course, it's so short that it might as well have been an alias or, even better, just a copy-pasteable git command, but I guess the author really wanted to call it 'git punish'.)