rtk

This module is primarily a convenience installer wrapper, but it contains a significant supply-chain execution risk: the `--method script` path downloads `install.sh` from a URL derived from user input (`--repo`) and immediately executes it via `curl ... | sh` without pinning or integrity verification (and it uses a moving `master` ref). While it includes basic functional verification via `rtk gain` (unless skipped) and performs no obvious in-file malicious behaviors (no secrets/exfiltration/persistence), the remote code execution pattern makes it a plausible attack vector if the remote content or repo reference is compromised or attacker-influenced.