bear-notes
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's installation process fetches the
grizzlybinary from a personal GitHub repository (github.com/tylerwince/grizzly) using the Go module system. This source is not associated with a verified or trusted organization. - [CREDENTIALS_UNSAFE]: The skill reads from and instructs users to store an authentication token in a plaintext file at
~/.config/grizzly/token. While necessary for the tool's functionality, this sensitive path exposure allows local processes to potentially access the token. - [COMMAND_EXECUTION]: The skill provides the agent with the ability to execute the
grizzlyCLI tool on macOS. This capability allows for direct interaction with the Bear application's data and the local file system through shell commands. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it ingests data (note content and tags) from the Bear application and processes it through the LLM without sanitization.
- Ingestion points: Commands such as
open-note,tags, andopen-tagretrieve data from the Bear database to be read by the agent. - Boundary markers: The skill does not implement boundary markers or instructions to disregard potential commands embedded within retrieved note text.
- Capability inventory: The agent can use the
grizzlyCLI to create, modify, or delete notes based on the data it receives. - Sanitization: There is no evidence of content validation or escaping before the external data is interpolated into the agent's context.
Audit Metadata