remote-cluster-agent

No direct malicious indicators (no obfuscated payloads, secrets, exfiltration, or backdoor behavior) are present in this Bash fragment. However, it performs a supply-chain-sensitive editable install into a persistent venv and forwards attacker-controlled SSH command text and user-controlled paths into the registered MCP server via environment variables. The security of the system hinges on how mcp_remote_server.py interprets and executes NODES/agent/path values; without validation, this could enable command injection or remote execution. Overall: low-to-moderate malware likelihood in this specific fragment, with moderate security risk due to delegation of untrusted inputs to a long-running server.

SUSPICIOUS. The skill’s capabilities broadly match its stated remote-cluster purpose, but its footprint is high-trust and high-impact: it runs unverified local setup scripts, installs a custom MCP server, auto-deploys and executes a remote agent, edits SSH config, and enables arbitrary remote command execution and file transfer. Data flow stays on SSH to configured hosts rather than obvious third-party exfiltration, so this is not confirmed malware, but the custom execution chain and weakened SSH trust settings make it a materially risky infrastructure skill.