I just read:
which links to:
This all appears to indicate
yaourt has a vulnerability in that it sources the remote PKGBUILD before presenting it to the user for checking. This gives anyone who submits an AUR package the ability to run scripts on your machine before you check the file.
So - should
yaourt be deprecated until it is "fixed"?
octopi vulnerable to the same thing (which can be much be worse if they are run as root)?