There's been a lot of discussion this week about a serious Safari bug. Basically, it can be tricked into running a script automatically if its 'Open "safe" files after downloading' setting is on. Shell scripts are not safe, but Safari can be tricked into thinking they are.

http://emperor.tidbits.com/webx?addBookmark@@.3c76e637

To check your systems if you can't see Safari (over ssh, etc.), use:

defaults read com.apple.Safari AutoOpenSafeDownloads

If you get back 0 or false, you're okay. If you need to turn it off, use:

defaults write com.apple.Safari AutoOpenSafeDownloads 0