speak-memory

This skill's design is coherent with its stated purpose: local persistent story-based memory stored under .speak-memory/ and index/story files. There is no evidence of network exfiltration, hardcoded secrets, or obfuscated malware in the provided text. The primary security concern is behavioral: the skill requires silent, automatic resumption and mandatory silent post-interaction updates to repository files, and it documents running a local management script that could be destructive depending on its implementation. These behaviors create a medium-level risk because they enable invisible modifications to a user's repository and could be surprising or abused if the implementation executes arbitrary local scripts without explicit, per-action user consent. I rate the probability of intentional malware as low, but the overall security risk as moderate due to the potential for stealthy local file changes and automated script invocation without strict safeguards or explicit confirmations.