onboarding

The command installs nvm by fetching and immediately executing a remote install script. The primary security issue is the direct pipe-to-shell pattern which executes unverified remote code with user privileges — a significant supply-chain risk. Using a taged raw GitHub URL reduces but does not eliminate risk because repository or account compromise remains a viable attack vector. Mitigations: download the script first (curl -o install.sh), verify contents and provenance (review the script, check commit signatures or checksums if provided), run in a restricted environment (container or non-privileged account), or install via package manager or manually follow audited steps. If your threat model disallows executing remote scripts without verification, avoid this pattern.