obra-superpowers-pack

SUSPICIOUS: the manifest is coherent as a bundle of obra/superpowers skills, but its core behavior is transitive installation of many external skills through a third-party CLI and mutable GitHub paths. No direct credential theft or exfiltration is shown here, yet the delegated trust footprint is broader than a simple local helper and warrants medium-high security caution.