Yes, that's good common sense. But you can check the source code on GitHub (it's deployed directly via GitHub Pages) or first download it and then execute without pipe from curl.
Yeah, or just host it yourself once reviewed. That's what I do usually (not with this haven't heard of this before), but with scripts I find now and then).