sprite

SUSPICIOUS: The skill is internally consistent with its stated purpose, but that purpose itself requires high-trust behavior: extracting a local Claude OAuth token, forwarding it to a remote Sprites.dev VM, and letting the agent control an InnerClaude session that can approve actions interactively. No clear signs of malware or deceptive exfiltration were found, and installer evidence appears same-org/official, but the credential-forwarding and autonomous remote-operation footprint make this a medium-high security risk skill.