bear-notes

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly supports ingesting arbitrary public URLs via the "grab-url" command (see SKILL.md and scripts/bear cmd_grab_url which builds a bear://x-callback-url/grab-url from an arbitrary URL) and the agent reads note contents from the local Bear SQLite database (~/.../database.sqlite), so untrusted third-party page content can be stored in notes and subsequently read/interpreted by the agent, potentially influencing its actions.