manimate

The script simply runs a bundled install.sh using bash. The JS is not itself obfuscated or directly malicious, but executing a packaged shell script without integrity checks is a meaningful supply-chain risk: if install.sh is malicious or tampered with, arbitrary code will run on the host. Audit the install.sh contents and the package publishing process before trusting this package.