Installing shell scripts from the internet might be dangerous. The current install instructions ask users to download a shell script and set the executable bit without any file verification (signature check, hashsum verification, etc.).

curl https://cht.sh/:cht.sh > "$PATH_DIR/cht.sh"
chmod +x "$PATH_DIR/cht.sh"

At least a checksum verification should be implemented to make it more difficult for an attacker to temper with the script.

curl https://cht.sh/:cht.sh > "$PATH_DIR/cht.sh"
echo "d3135e42b800ff2e7aac44d4dfe500f0f4e2c7eb00a1c2191b0dc8b28431f155  $PATH_DIR/cht.sh" | sha256sum --check -
chmod +x "$PATH_DIR/cht.sh"

Please note that in case this is implemented, the hash must be updated if the cht.sh script is changed.
I'll add a PR for this that includes the checksum of the current script.

/edit: As mentioned in the link above, the shasum and the source file should live on different servers. So the question is: where is the website currently hosted? Looking up the IP of sheet.sh, it seems the IP is owned by you, @chubin. If GitHub Pages is not used for hosting the website, storing the shasums in a file in the repository would add an additional layer of security since an attacker would need to get access to both, your GitHub account and the server that runs somewhere else.