Opening it in a text editor is not sufficient. With clever use of 'sleep' you can even have the server return a malicious payload only if it thinks its getting immediately piped to sh[0].
If you're opening it in a browser to check, you've also got to worry that the server may be looking at curl's user agent to decide whether to serve up a malicious payload[1].