firebase-cli

The installer script itself contains no explicit malicious code (no hardcoded secrets, no obfuscation, no credential harvesting). However it performs high-risk supply-chain actions: executing a remote bootstrapper via 'curl | bash' without integrity checks and performing 'npm install -g' which runs code from the npm registry. These behaviors are common for CLI installers but are the main security concerns. Recommendations: avoid piping remote scripts directly into a shell; instead download and verify signatures or checksums, prefer installing pinned package versions with lockfile or integrity verification, run installs in constrained environments (containers or CI runners with least privilege), and validate any unusual documentation strings (internal paths) during repo provenance checks.