[nine_k]

No, the concern is not your computer is compromised. Yours is a low-value target, sorry.

It's their http server, or a machine that feeds that http server, which is a good target for a compromise. Injecting a little bit of malicious code that steals something, or installs a fileless piece of malware, would bring massive benefits to the perpetrator, even if the exploit is short-lived.

That shell script should be a zip (gzip, xz) file, with a sha256 hash of it published on a different, separately hosted resource.

Maybe we should provide an utility that just does that in one command. It could even be a shell script...

[qbasic_forever]

Realistically a poisoned ARP or DNS attack that redirects your machine's traffic to the attacker's server, both for the download and the download page, is something to be concerned about. This only requires someone to have access to your local network, not to your machine. It could be as innocent as working at a coffee shop from their wifi network and an attacker being on it too...

[moondev]

curl validates the TLS certificate by default, it will fail in your scenario unless you pass -k. dev TLD requires https on all connections