bear-notes
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill installs the
grizzlybinary from an untrusted GitHub source (github.com/tylerwince/grizzly/cmd/grizzly@latest). This source is not among the trusted GitHub organizations, presenting a supply chain risk. - [COMMAND_EXECUTION] (MEDIUM): The skill relies on executing the
grizzlyCLI, providing the agent with the capability to perform operations on the host's filesystem and within the Bear application. - [CREDENTIALS_UNSAFE] (LOW): Instructions require the user to store a Bear API token in a predictable, plaintext location (
~/.config/grizzly/token), making it susceptible to discovery by other local processes. - [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface. Evidence: 1. Ingestion: The
open-notecommand reads potentially untrusted note content. 2. Boundary Markers: Absent; no instructions exist to ignore commands inside notes. 3. Capability Inventory: Includes note creation and modification. 4. Sanitization: None; note data is processed directly as fetched.
Recommendations
- AI detected serious security threats
Audit Metadata