There's been a lot of discussion this week about a serious Safari bug. Basically, it can be tricked into running a script automatically if its 'Open "safe" files after downloading' setting is on. Shell scripts are not safe, but Safari can be tricked into thinking they are.

To check your systems if you can't see Safari (over ssh, etc.), use:

defaults read AutoOpenSafeDownloads

If you get back 0 or false, you're okay. If you need to turn it off, use:

defaults write AutoOpenSafeDownloads 0