diff --git a/scripts/install-openshell.sh b/scripts/install-openshell.sh
index dbbeed409..54e5f777b 100755
--- a/scripts/install-openshell.sh
+++ b/scripts/install-openshell.sh
@@ -79,14 +79,23 @@ esac
 tmpdir="$(mktemp -d)"
 trap 'rm -rf "$tmpdir"' EXIT
 
+CHECKSUM_FILE="openshell-checksums-sha256.txt"
 if command -v gh >/dev/null 2>&1; then
   GH_TOKEN="${GITHUB_TOKEN:-}" gh release download --repo NVIDIA/OpenShell \
     --pattern "$ASSET" --dir "$tmpdir"
+  GH_TOKEN="${GITHUB_TOKEN:-}" gh release download --repo NVIDIA/OpenShell \
+    --pattern "$CHECKSUM_FILE" --dir "$tmpdir"
 else
   curl -fsSL "https://github.com/NVIDIA/OpenShell/releases/latest/download/$ASSET" \
     -o "$tmpdir/$ASSET"
+  curl -fsSL "https://github.com/NVIDIA/OpenShell/releases/latest/download/$CHECKSUM_FILE" \
+    -o "$tmpdir/$CHECKSUM_FILE"
 fi
 
+info "Verifying SHA-256 checksum..."
+(cd "$tmpdir" && grep "$ASSET" "$CHECKSUM_FILE" | shasum -a 256 -c -) \
+  || fail "SHA-256 checksum verification failed for $ASSET"
+
 tar xzf "$tmpdir/$ASSET" -C "$tmpdir"
 
 target_dir="/usr/local/bin"
diff --git a/scripts/install.sh b/scripts/install.sh
index b00de5e86..1da8465bf 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -341,15 +341,24 @@ install_openshell() {
   esac
 
   tmpdir="$(mktemp -d)"
+  CHECKSUM_FILE="openshell-checksums-sha256.txt"
   if command -v gh >/dev/null 2>&1; then
     GH_TOKEN="${GITHUB_TOKEN:-}" gh release download --repo NVIDIA/OpenShell \
       --pattern "$ASSET" --dir "$tmpdir"
+    GH_TOKEN="${GITHUB_TOKEN:-}" gh release download --repo NVIDIA/OpenShell \
+      --pattern "$CHECKSUM_FILE" --dir "$tmpdir"
   else
     # Fallback: curl latest release
     curl -fsSL "https://github.com/NVIDIA/OpenShell/releases/latest/download/$ASSET" \
       -o "$tmpdir/$ASSET"
+    curl -fsSL "https://github.com/NVIDIA/OpenShell/releases/latest/download/$CHECKSUM_FILE" \
+      -o "$tmpdir/$CHECKSUM_FILE"
   fi
 
+  info "Verifying SHA-256 checksum..."
+  (cd "$tmpdir" && grep "$ASSET" "$CHECKSUM_FILE" | shasum -a 256 -c -) \
+    || fail "SHA-256 checksum verification failed for $ASSET"
+
   tar xzf "$tmpdir/$ASSET" -C "$tmpdir"
 
   if [ -w /usr/local/bin ]; then
diff --git a/test/runner.test.js b/test/runner.test.js
index f35c88256..c85690573 100644
--- a/test/runner.test.js
+++ b/test/runner.test.js
@@ -207,5 +207,17 @@ describe("runner helpers", () => {
       expect(src.includes("validateName(SANDBOX")).toBeTruthy();
       expect(!src.includes("execSync")).toBeTruthy();
     });
+
+    it("install.sh verifies OpenShell binary checksum after download", () => {
+      const src = fs.readFileSync(path.join(import.meta.dirname, "..", "scripts", "install.sh"), "utf-8");
+      expect(src).toContain("openshell-checksums-sha256.txt");
+      expect(src).toContain("shasum -a 256 -c");
+    });
+
+    it("install-openshell.sh verifies OpenShell binary checksum after download", () => {
+      const src = fs.readFileSync(path.join(import.meta.dirname, "..", "scripts", "install-openshell.sh"), "utf-8");
+      expect(src).toContain("openshell-checksums-sha256.txt");
+      expect(src).toContain("shasum -a 256 -c");
+    });
   });
 });