Optimally, you want to download software from a static, external source that people can vet, preferably protected from tampering with digital signatures. For most of these scripts, there's no way to know if the file you'll receive will be the same as a file someone with an interest in installer security will receive. You'd have to download from a source that you can believe to be reasonably static to get the minimum amount of trust at the least.
It's trivial to serve different files to different user agents, and with terminal escape codes you could even hide malicious code from the few people that cat these scripts. I don't like downloading files from a project's own, potentially dynamic, server, and executing them directly, even though that's commonly the only way to run certain tools.
In my opinion, downloading github release files or even just the scripts from github directly is worse than using reliable repositories with signatures and all that, but better than downloading random shell or exe files and executing them as admin. You'll always be at some kind of risk of software manipulation, so you have to choose how much risk you want to accept when it comes to this stuff.
It's trivial to serve different files to different user agents, and with terminal escape codes you could even hide malicious code from the few people that cat these scripts. I don't like downloading files from a project's own, potentially dynamic, server, and executing them directly, even though that's commonly the only way to run certain tools.
In my opinion, downloading github release files or even just the scripts from github directly is worse than using reliable repositories with signatures and all that, but better than downloading random shell or exe files and executing them as admin. You'll always be at some kind of risk of software manipulation, so you have to choose how much risk you want to accept when it comes to this stuff.