dev-agent-spawn

SUSPICIOUS: the core Ghostty/tmux/AeroSpace footprint is coherent for a terminal agent spawner, and install sources appear official. Risk comes from its broad local control, default sandbox bypass via --dangerously-skip-permissions, arbitrary command injection into spawned sessions, transcript handling, and documented autonomous actions like git push/PR creation. This looks like a powerful but purpose-aligned orchestration skill, not confirmed malware.