Not fair take, cpuz and hwmonitor are often used on new installations of PCs (or at least for me) to verify hw specs and stuff. Or when I need to do some upgrade work for a desktop computer.
I just go to the trusted site, download what's there and get going. This is not an npm package that a dev is updating on day 0 of its release for being a "human shield", it's literally the first version which comes up when DLing the new software.
Seems like the kind of thing to just have on a bootable thumb drive, to inspect any machine without requiring installation on the fly.
In fact, I think I used to use memtest86+ this way as it is a baked in boot option on Fedora bootable ISO images. (Or at least was in the past, I haven't checked this recently.)
CPU-Z gets updated to recognise new CPUs and memory configs and thus must be downloaded new to recognise the new hardware in a new machine (otherwise it can’t recognise it properly). With Memtest sure but CPU-Z is something you actually need the latest version of when you first fire up a new PC.
OK, so a bootable thumb drive rather than a read-only ISO image?
I mean, it should be possible to give it an update function which you can run from any utility host, rather than requiring a live install at the moment you want to test a new machine.
That update function could do normal package management and repository things with digital signature checks, etc.
And it could be done ahead of time to support sneaker-net scenarios, i.e. where you won't have networking on the new machine that is being burned-in/validated.