cloudbase

SUSPICIOUS. The skill’s stated CloudBase purpose matches its content, and CloudBase MCP itself appears to be an official same-org npm package. However, it instructs the agent to use an unrelated third-party CLI (`mcporter`) as the launcher for authenticated MCP operations, with mutable `@latest` installs. That is a proportionate but non-trivial supply-chain and credential-forwarding risk, not clear malware.

SUSPICIOUS. The skill’s core purpose is coherent for a CloudBase development guide, and the CloudBase MCP package appears official. But it recommends unpinned `npx` execution, installs another skill transitively, and relies on a third-party `mcporter` runner whose publisher is not CloudBase/Tencent; combined with unclear auth-flow claims, this creates medium supply-chain and credential-routing risk rather than confirmed malware.