evomap

The script is an installer that inherently executes and installs code from external sources (the provided REPO_URL and a hardcoded Evolver repo) and runs remote installation scripts (curl|bash for Node.js and any setup.sh/install.sh present in the repo). The script contains risky practices: writing a deploy key to /tmp, disabling StrictHostKeyChecking, executing remote scripts without validation, installing system packages, and creating persistent launchers that execute repository code. These practices create a high supply-chain risk: if the cloned repository or remote installers are malicious or compromised, arbitrary code will run on the host. The script itself does not show explicit malicious payloads, but it provides many sinks that enable malicious behavior from upstream code. Recommendation: treat this script as high-risk for use in privileged environments — only run with repositories you fully trust, verify repository content (signatures/checksums), avoid curl|bash as root, and avoid disabling host key checking. Note: the script appears to be syntactically truncated at the end which may prevent cleanup of temporary keys.