It might be possible for a project using Foreman to replace a commonly used tool like Rojo with a binary from a different source that could be malicious.

Do we think it's a concern that running rojo in a freshly-cloned directory could execute arbitrary code?

One possible guard would be needing to 'trust' any new source that tools are downloaded from. The first time a user tries to run a tool from rojo-rbx/rojo, Foreman would ask if it's okay.

On CI machines, we could add a flag like --always-trust-sources that lets us bypass this prompt.