mem-learn

SUSPICIOUS. The functional scope matches a knowledge-capture skill, but the main risk is install/execution trust: it relies on an unpinned, externally fetched npm CLI whose publisher relationship and release provenance could not be verified from the provided evidence. No clear credential theft or explicit exfiltration is shown, so this is not confirmed malicious, but the runtime supply-chain risk is high enough to treat cautiously.