bear-notes
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of the 'grizzly' binary using the command 'go install github.com/tylerwince/grizzly/cmd/grizzly@latest'. This downloads and executes code from a third-party repository that is not part of the trusted vendors list.
- [COMMAND_EXECUTION]: The skill uses the 'grizzly' CLI to perform operations such as creating, reading, and searching notes. These operations involve executing shell commands that interact with the local filesystem and the Bear application's internal database via x-callback-urls.
- [CREDENTIALS_UNSAFE]: The skill documentation instructs users to store a Bear API token in a configuration file at '~/.config/grizzly/token'. Accessing this sensitive file is necessary for the skill's primary functionality but represents a potential exposure of user credentials.
Audit Metadata