The wp_remote_*() functions (like wp_remote_get()) do not validate the passed URL, resulting in the possibility for malicious requests if the $url is user-controlled. The wp_safe_remote_*() functions should be instead, since "the URL is validated to avoid redirection and request forgery attacks."