wget -O - | sh: Piping Installers, with Caution
wget -O - URL | sh streams a remote script straight into a shell, a convenient but risky install pattern.
Many install one-liners pipe a downloaded script into sh. It works, but it executes whatever the server returns, so treat it with care in automation.
What it does
wget -O - URL writes the response to stdout, and piping it to sh (or bash) executes it directly. Nothing is saved or inspected; the shell runs exactly what the server sent at that moment, including any redirect or tampering.
Common usage
# convenient but unverified
wget -qO - https://get.example.com/install.sh | sh
# safer: download, inspect, then run
wget -qO install.sh https://get.example.com/install.sh
less install.sh # review it
sh install.shOptions
| Flag | What it does |
|---|---|
| -O - | Write to stdout so it can be piped |
| -q | Quiet so only the script output shows |
| --https-only | Refuse to follow non-HTTPS redirects |
| --no-check-certificate | Skip TLS verification (do not pair this with | sh) |
In CI
Prefer download-then-inspect over piping to a shell in pipelines: pin a version, verify a checksum, and only then execute. If you must pipe, use HTTPS with verification on (never --no-check-certificate here) and pin to an immutable URL so the script cannot change under you between runs.
Common errors in CI
A partial download piped to sh can run half a script and fail with a confusing syntax error: unexpected end of file, because the transfer was cut off mid-stream. wget: command not found means wget is not installed on the image; install it or use curl. A 404 piped to sh executes the error page as a script.