The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/bear is vulnerable to SQL injection due to the lack of sanitization when interpolating user-provided variables into SQLite queries.
Evidence: In cmd_search (lines 105-117), the ${term} and ${tag} variables are inserted directly into sqlite3 query strings.
Evidence: In cmd_open (lines 122-125), the ${id} variable is interpolated into the query.
Evidence: In cmd_open_title (lines 149-152), the ${title} variable is interpolated into the query.
Evidence: In cmd_tag (lines 187-190), the ${name} variable is used in a LIKE clause.
Evidence: Similar patterns are found in cmd_untagged (lines 201-203), cmd_todos (lines 230-233), and cmd_today (lines 255-257).
Impact: An attacker can craft inputs to manipulate the SQL logic, potentially leaking sensitive note content or bypassing search constraints.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes note content from the Bear database without sanitization or boundary markers.
Ingestion points: scripts/bear (functions cmd_search, cmd_open, cmd_todos).
Boundary markers: None. Retrieved note content is returned to the agent without delimiters or instructions to ignore embedded commands.
Capability inventory: The skill can read all notes via sqlite3 and modify notes/tags via open bear://x-callback-url.
Sanitization: None. Note text is used as-is.
Impact: Malicious instructions stored in a note could be executed by the agent when searching or reading notes, leading to unauthorized actions like deleting notes.

bear-notes