[zamalek]

Its slightly more insidious: merely opening it in a text editor (assuming it has some form of lsp) could pwn you. Rust definitely isn't alone in this. Quite a few of the editors I know will run in a dumbed down mode when opening an unknown repo.

[kibwen]

It's even more insidious than that! Even navigating to a directory in a checkout of a hostile git repo can run arbitrary code if your shell displays git info (what branch you're on, etc).