Skip to content
Latchkey

wget -O - | sh: Piping Installers, with Caution

wget -O - URL | sh streams a remote script straight into a shell, a convenient but risky install pattern.

Many install one-liners pipe a downloaded script into sh. It works, but it executes whatever the server returns, so treat it with care in automation.

What it does

wget -O - URL writes the response to stdout, and piping it to sh (or bash) executes it directly. Nothing is saved or inspected; the shell runs exactly what the server sent at that moment, including any redirect or tampering.

Common usage

Terminal
# convenient but unverified
wget -qO - https://get.example.com/install.sh | sh
# safer: download, inspect, then run
wget -qO install.sh https://get.example.com/install.sh
less install.sh   # review it
sh install.sh

Options

FlagWhat it does
-O -Write to stdout so it can be piped
-qQuiet so only the script output shows
--https-onlyRefuse to follow non-HTTPS redirects
--no-check-certificateSkip TLS verification (do not pair this with | sh)

In CI

Prefer download-then-inspect over piping to a shell in pipelines: pin a version, verify a checksum, and only then execute. If you must pipe, use HTTPS with verification on (never --no-check-certificate here) and pin to an immutable URL so the script cannot change under you between runs.

Common errors in CI

A partial download piped to sh can run half a script and fail with a confusing syntax error: unexpected end of file, because the transfer was cut off mid-stream. wget: command not found means wget is not installed on the image; install it or use curl. A 404 piped to sh executes the error page as a script.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →