You are piping the output of an untrusted command into a shell that will execute it. This leaves no way to verify that the code your are running is legit. No md5 verification, no cursory inspection of the script, etc.... There could even be hijacked dns that points to a server that specifically does a bad thing. Maybe not a huge deal for small projects but it's not a great idea in general.

Try this to see a proof of concept:

$echo "echo test" | bash