memory-management

SUSPICIOUS: the core memory purpose is coherent, but the footprint is broader than a simple memory helper. Main concerns are credential forwarding of ANTHROPIC_API_KEY into third-party hook code, automatic transcript harvesting, and transitive trust via auto-generated skills that load later without separate review. npm-based distribution lowers supply-chain risk versus raw installers, but package-name inconsistency and silent hook behavior keep overall risk elevated.