gate-mcp-codex-installer

Best assessment: the snippet is not evidence of overt malware, but it is a high-impact security hygiene issue because it hardcodes API credentials in configuration and passes them into an external process via environment variables. Ensure real secrets are not committed, use secret managers/CI variables, and verify the `gate-mcp` binary provenance and logging behavior. Review rotatability of any potentially exposed credentials.

SUSPICIOUS. The stated purpose matches an installer, but the footprint is broader than necessary: it executes installer scripts, installs all skills by default, and routes future MCP traffic and credentials through gatemcp.ai endpoints. Same-org GitHub references reduce concern somewhat, but the transitive skill installation and third-party-hosted MCP gateway make this medium-high risk rather than benign.