dev-agent-spawn

SUSPICIOUS: the skill’s core behavior matches its stated purpose and install sources are largely legitimate, but it intentionally spawns high-autonomy agent sessions using dangerous approval-bypass flags and supports arbitrary custom commands. The main risk is not hidden exfiltration; it is enabling powerful unattended local and repo-affecting actions through Ghostty/tmux orchestration.