claudemem — Persistent Agent Memory & Notes

The skill's installation instructions in `SKILL.md` recommend installing the `claudemem` CLI tool via `curl -fsSL ... | bash` from a remote GitHub repository (raw.githubusercontent.com/zelinewang/claudemem). While the `scripts/install.sh` script itself appears to be a standard installer, this method introduces a significant supply chain vulnerability, as it executes arbitrary code from an external source, posing a critical Remote Code Execution (RCE) risk if the remote repository or script is compromised. This contradicts the 'zero network' claim for the installation phase, although the runtime behavior of the tool is implied to be local. The agent's instructions to read conversation history and local system context (`pwd`, `git rev-parse`) are aligned with the stated memory-keeping purpose, but the installer's vulnerability makes the skill suspicious.