See the solution marked here - scripts sent down in this manner are sent from the server to the agents at runtime, saved into a temp file, and then executed. You can easily modify the provided script to automatically delete the temp file as well. This ensures that your agents are receiving the most up-to-date version of the script, saved within your repository and thus behind the built-in authentication/authorization provided, as well as ensuring that the script is not tampered with before execution.
Edit - Adam’s too fast!