> But, maybe it would be best not to have “yay” available. Using something like AUR without reading the package build files is… pretty bad, right? And it is bad for the community, because if there is a convention of doing that sort of thing, it makes the AUR a good target for attacking.

I don't remember how yay works but paru (another AUR package manager) displays the pkgbuild file before it will install.