mem-init

SUSPICIOUS: The file-editing behavior matches the stated bootstrap purpose, but the skill persists automatic execution of an unverified external npm package through CLAUDE.md guidance and an optional startup hook. The main risk is supply-chain trust and recurring third-party code execution, not confirmed malware.