There's no `curl | sh` going on. "curl-able" means what it says: you curl down a single docker-compose file and run `docker compose up`. You don't clone the repo and you don't pipe anything into a shell. The whole point of the project is that it ships as one compose file you can fetch and run, which is why I called it curl-able.

I'm not sure how familiar you are with Docker and Docker Compose, but this is pretty common practice when you want to let people run a whole stack from a single compose file. If you have security concerns, you can (and always should) review the compose file and the Docker images to see what they do. Everything is available in the repo. But to actually run it, one curl is enough.

curl | bash and pentesting go well together