cloudbase

SUSPICIOUS: The skill’s CloudBase development purpose broadly matches its capabilities, and the primary `@cloudbase/cloudbase-mcp` installer has credible same-org npm/docs evidence. However, risk is elevated by unpinned `npx @latest` execution, the requirement to use third-party `mcporter` as a fallback, and explicit transitive installation of another skill via `skills add`. This is not confirmed malicious, but its execution and trust chain are broader than necessary for a simple documentation/development skill.

SUSPICIOUS. The skill’s stated CloudBase purpose matches its content, and CloudBase MCP itself appears to be an official same-org npm package. However, it instructs the agent to use an unrelated third-party CLI (`mcporter`) as the launcher for authenticated MCP operations, with mutable `@latest` installs. That is a proportionate but non-trivial supply-chain and credential-forwarding risk, not clear malware.