Since the script comes from GitHub repo, and the source is also on the repo, isn't building the source the same as getting the shell script and running it? I mean if one is compromised, the other might be compromised too.