[GeorgeOldfield]

it's fun but PLEASE watch out for malicious code/supply chain attacks from random vibe-coded .sh scripts:

downloads other scripts (peon.sh, uninstall.sh) and executes them or places them where they will be executed later

edits your ~/.bashrc and ~/.zshrc files to add aliases and tab completion

parses a remote JSON file to get filenames ($sfile) and then does: curl ... -o "$INSTALL_DIR/packs/$pack/sounds/$sfile"

[JohnMakin]

Lol, yea, the scripts are beyond sketchy. This is the new vector, a cool idea masking itself as "fun" (which it is actually fun). People not understanding or vibing may not understand what they're installing. Even if this author isn't malicious, you cannot assume that will always be the case.

[philsnow]

The author might not be malicious, but from going through some of the audio packs, they're really not quality-checking PRs. For instance, sc_medic/sounds/WhereDoesItHurt.mp3 sounds like two-and-a-half sounds stuck together ("Critical? You Rang? Please state the nat--", it cuts off right there, and doesn't include the phrase "Where does it hurt?").

I wouldn't use this repo outside of some kind of sandbox.

[JohnMakin]

Plus, the fact that audio/video assets can have RCE zero days quite often on some of these systems should make someone immediately suspicious. It isn't hard to generate those assets on your own in a way you are comfortable with. I would never, ever, ever install this without forking my own assets and doing my own install, but not everyone is me.

[GeorgeOldfield]

I'm not saying the author is malicious. These are typical vibe-coded codebase characteristics.

[ziml77]

I don't think using something fun as an attack vector is anything new at all. It's an easy way to have someone let their guard down because you want to play around and aren't thinking how something silly could actually be out to get you.

[JohnMakin]

It's new in the sense non-technical users can just download and install and use stuff like this far, far easier than it ever was before.