It’s not a “random pip”. The maintainer is a well-known open source developer (one of the creators of Django and Datasette). It’s also a very small codebase – not many places for malicious code to hide.
OK but I mean I don't know them and it could have been someone pretending to be them, and probably it's easily possible to trick me about API keys. We are discussing it on a hacker news website do you seriously think tricks couldn't be hidden in a repo like that.
Do you only use software by people you know? At some point there has to be an element of trust when you run software you downloaded over the Internet. If a small utility maintained by a well-known member of the developer community doesn’t qualify for that trust, then I think that rules out an awful lot of software that all of us here probably use on a day to day basis. This is not an extraordinary level of risk.
I mean I usually use software that came with my computer or ones that I apt-install from the official ubuntu distribution. I know it's not perfect security but at least it's more than a hacker news link to a github pip. If I had to use other ones then it's usually from people I know.
