It is indeed not very likely to occur, since the same could be done by running npm install. But it is something that would be listed as a vulnerability by users who have something valuable in their ide, and by people doing security audit.
Also i don’t think this is a very common request, since it didn’t get any likes and has two comments in support, so in addition to creative solutions we need more reasoning showing why this is a good idea, and why it should be implemented before other requests.
It seems the benefit of running setup scripts automatically is not that large, cloud9 opens the readme after cloning, and opens a terminal bellow it, so copying ./bin/setup from top pane to bottom and pressing enter is not much more difficult than clicking a dialog button.
That said we could add an unobtrusive, non-modal notification, that the repository author asks to run these commands.
Or we could make markdown notebooks, similar to R Markdown notebooks in R studio, which would allow users to run scripts in readme with one click (of course, after accepting a scary warning dialog:)