bear-notes
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of a CLI tool via
go install github.com/tylerwince/grizzly/cmd/grizzly@latest. This repository is owned by an unverified third-party user, introducing a risk of supply chain compromise or unvetted code updates. - [COMMAND_EXECUTION]: The skill performs shell command execution to interact with the Bear application, utilizing the
grizzlybinary with various flags and piped inputs. - [CREDENTIALS_UNSAFE]: The skill interacts with and instructs users to store a Bear API token in a plaintext file at
~/.config/grizzly/token. The use of sensitive file paths for credential storage increases the risk of local data exposure. - [PROMPT_INJECTION]: The skill ingests untrusted data from Bear notes via
grizzly open-noteandgrizzly tags(as documented in SKILL.md) without boundary markers or sanitization. This creates a surface for indirect prompt injection where malicious content in a note could influence agent behavior. The skill includes write capabilities through note creation and text appending commands.
Audit Metadata