bear-notes
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill setup involves downloading and installing the
grizzlyCLI tool directly from an unverified third-party GitHub repository (github.com/tylerwince/grizzly) using the Go package manager. - [CREDENTIALS_UNSAFE]: The skill accesses a sensitive Bear API authentication token stored at
~/.config/grizzly/token. This token is used to authenticate requests to the Bear app and is passed to the CLI tool during execution. - [COMMAND_EXECUTION]: The skill performs various note management tasks by executing shell commands with the
grizzlybinary, often involving piped input (e.g.,echo "..." | grizzly create). - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by reading note content from the Bear application, which could contain instructions intended to influence the agent.
- Ingestion points: Note content retrieved via
grizzly open-noteorgrizzly open-tag. - Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands within the retrieved note data.
- Capability inventory: The skill can create notes (
grizzly create) and append text (grizzly add-text), which could allow a malicious instruction to persist or propagate. - Sanitization: There is no evidence of content sanitization or validation performed on the data returned from Bear before it is processed by the agent.
Audit Metadata