That's a huge amount of trust you've placed in bit.ly, and in insecure http. You might at least consider typing out https://bit.ly/newbox so that you only have to trust bit.ly. Better yet, memorize the URL that bit.ly links to.
Also, why do you symlink your dotfiles into your cloned git repo, rather than just checking out the git repo as ~? Personally, I just move the .git directory from the clone to ~, and then "git checkout -f".
I'm lazy and don't want to type out the github URL, but you're right I should place the redirection under my control and use HTTPS. Honestly though I cannot think of a single reason why anyone would want to hijack my script. I don't do anything very interesting that would make my machine a lucrative target for that sort of malicious activity. I'm a very small fish in a massive pond.
Also due to laziness I don't want to add a bunch of stuff to .gitignore, or add * and then add exceptions. I like having the symlinks.
Just watch out that you don't get a 404 one day and end up piping a whole lot of error screen HTML into your shell, it could have wildly unpredictable results.