find-scene

No explicit malware is visible in the provided YAML, but it implements a high-risk supply-chain pattern: it downloads and executes an unpinned, unverified remote installer script as root (`curl ... | sudo sh`) on every main-branch push, then uses a secret token to publish to an external registry. If the upstream installer or its hosting is compromised, the workflow provides a straightforward path to tamper with the CI environment and abuse publishing credentials/artifacts.