cloudbase

SUSPICIOUS: The core CloudBase guidance is broadly aligned with its stated purpose, and the main MCP package appears official. Risk comes from unpinned `npx` execution, reliance on third-party `mcporter`, and especially the instruction to install additional skills via the external `skills` CLI, which extends the agent’s trust boundary. This looks more like a legitimate but high-trust operational skill than malware.