alt Hacker NewsThe installation method they officially propagate is dangerous. curl -fsSL https://mimo.xiaomi.com/install | bash
This is usually a PoC (Proof of concept) way to install something on a temporary container or temporary VM, but not for production use during daily desktop operation.
I was hoping their documentation would provide better installation instructions. But strangely, only for Windows do they recommend "npm install -g @mimo-ai/cli," which is a much better approach to managing installed packages.
For Mac/Linux, they have the strange recommendation to use the dangerous "curl <some_url> | bash." Quote:
> (for the best experience, Mac users are strongly encouraged to use iTerm or the VSCode Terminal) > curl -fsSL https://mimo.xiaomi.com/install | bash
:(
Replies
Codex use this (for update).
> sh -c 'curl -fsSL https://chatgpt.com/codex/install.sh | CODEX_NON_INTERACTIVE=1 sh'
This is just sh, not bash, but I doubt it would be any better.
You're right that it's as dangerous as it's executing random third-party code on your machine, but the method also has propagated far beyond PoCs and such at this point. All of these projects and many others push that install method: Bun, Deno, rustup, k3s, Docker (if using their helper script), Homebrew, Tailscale...
Thats exactly same as Claude Code offer: https://code.claude.com/docs/en/quickstart
We've had this discussion since Eazel Linux desktop popularized bash | curl in 2001.
> npm install ... is a much better approach to managing installed packages.
No. Until the upcoming version of npm is out, npm will also run arbitrary code. Almost all common installation tools run arbitrary code. Not doing that is sadly the exception for now.
This is how everyone does it now. Including Anthropic.
To be fair, is that any different from naively trusting NPM? It's not like NPM is doing any vetting. They're every threat actors favorite sandbox these days.
https://code.claude.com/docs/en/quickstart