Oh a script run on the Pi could absolutely root your system and give an attacker unfettered access to your Pi and potentially a jumping off point to attack the rest of your network, so your caution is absolutely warranted if not outright encouraged. Not to mention, it’s always good practise to know what a script is doing to your system, since even if its intended to be benign it may have unintended consequences.
The security issue is why we have an SSL certificate for our
get.pimoroni.com domain, so you can be reasonably assured that the script is not doing anything suspect- as long as you trust us that is (which given our piratical image you may not :D)
Unfortunately the scripts are so rammed with boilerplate code that it’s difficult to know what exactly they’re doing- usually you can check the very top and very bottom of our scripts for an idea of what boilerplate and custom actions are being performed.
From the top of Explorer HAT’s installer you can just about glean that - on top of installing the Python 2 and 3 libraries - it clones the “documentation” and “examples” folders from git, installs “cap1xxx” as a Python dependency, and optionally installs “pygame” for the examples.