Design and evaluate one-line installer scripts with security and fit considerations.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "one-line-installer-patterns" skill from askskill: 1. Download https://raw.githubusercontent.com/microsoft/amplifier-bundle-skills/main/skills/one-line-installer-patterns/SKILL.md 2. Save it as ~/.claude/skills/one-line-installer-patterns/SKILL.md 3. Reload skills and tell me it's ready
I have a Docker Compose-based multi-service project and cannot use npm publish or uv tool install. Evaluate whether a curl | sh one-line installer is appropriate, and provide a recommended script structure, security warnings, rollback strategy, and boundary cases where this approach is not suitable.
A recommendation on whether to use a one-line installer, plus script design principles, security trade-offs, and suggested alternatives.
I need to distribute a tool to non-technical users that installs system dependencies and a local CLI. Using conventions from rustup, bun, and deno, design a simple one-line installation entry point that clearly shows risk warnings, permission requirements, platform detection, and failure handling.
A one-line installation approach suited for non-technical users, including messaging, execution flow, and error-handling guidance.
Please review my installation requirements: it is a raw TS/React app involving browser-side builds and internal team deployment. Analyze whether a curl-piped installer is the wrong choice, list better distribution options, the decision criteria, and how I should explain this decision to the team.
An explanation of whether this pattern is unsuitable, with alternative distribution channels, decision criteria, and team-facing communication guidance.
A curl … | bash install script is the right answer in a narrow set of cases. Outside that set, simpler distribution mechanisms exist and should be used.
Use this pattern when:
uv tool install cannot do the job alonedocker compose up, but the user needs a clean way to land the compose file, generate an .env, and start the stackDon't use this pattern when:
uv tool install git+... and see cli-packaging-patternsnpx <tool> or pnpm dlx <tool>curl -L .../tool -o ~/.local/bin/tool && chmod +x ~/.local/bin/tool. This is the modern Go/Rust default.docker-compose.yml. The "install command" is docker compose up -d. Plausible, n8n, and Outline all do this.A curl | bash script is a thin wrapper around one of the four real distribution mechanisms above. It is not its own distribution mechanism.
Piping a remote script to a shell executes whatever the server returns at the moment of invocation. The user has no opportunity to inspect what runs. The trust model is roughly equivalent to running any other unverified binary from the internet — not worse, but not better.
There is also a documented attack class: a malicious server can detect a curl | bash invocation by stalling the response and serve different content than it would to a curl > install.sh && less install.sh inspection. See https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ — this is real and demonstrated, not theoretical.
Required mitigations:
http://.main.What this pattern cannot give you:
curl -fsSL https://example.com/install.sh | bash
This shape is used by rustup, bun, deno, fly, ollama, pnpm, supabase, and most others. Conform to it.
curl -fsSL: fail on HTTP error (-f), silent progress (-s), show errors (-S), follow redirects (-L)| bash — not | sh. Almost no production installer is strict POSIX sh. Bash 3.2 (the macOS default) is the realistic floor. Documenting | bash is honest about what the script actually requires.For arguments, use the rustup convention:
curl -fsSL https://.../install.sh | bash -s -- --version 1.2.3 --no-modify-path
The bash -s -- form is broadly understood and supported.
For the review-first variant, document this prominently in the README — not as a footnote:
curl -fsSL https://.../install.sh -o install.sh
less install.sh
bash install.sh
1. set -euo pipefail; trap cleanup EXIT
2. Detect: OS, arch, libc (glibc vs musl), shell, existing install
…
Research, plan, and execute large code changes with parallel PR-producing agents.
Analyze images, extract text, and answer visual questions with LLM vision models.
Design robust config and state file handling with safe defaults and crash recovery.
Get skeptical, practical guidance on architecture, legacy refactors, and tooling decisions.
Design auth and TLS patterns for smooth local use and secure remote access.
Design CLI tools with simple installs, command routing, and layered config.
Learn idiomatic Rust patterns, ownership, concurrency, and robust error handling practices.
Check for and install GitHub CLI to prepare a development environment.
Improve APM CLI command UX, help text, and first-run flows.
Review security risks for auth, inputs, secrets, APIs, and sensitive features.