supaterm-computer-use

SUSPICIOUS: the skill's capabilities are broadly consistent with its stated purpose of host UI automation, but the scope is inherently high impact because it can control local apps and browsers, read arbitrary page content, and execute page JavaScript. No clear credential harvesting or exfiltration path is shown, so this is not malicious on its face; the main risks are powerful autonomy, prompt-injection exposure from web content, and incomplete trust evidence for the underlying `sp` CLI.