bear-notes
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill installs the grizzly binary from an untrusted GitHub repository (github.com/tylerwince/grizzly) using go install. Per [TRUST-SCOPE-RULE], this is unverifiable.
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection Risk. 1. Ingestion points: grizzly open-note, grizzly tags, grizzly open-tag. 2. Boundary markers: Absent. 3. Capability inventory: Subprocess calls to grizzly for creating and modifying notes. 4. Sanitization: Absent. An attacker could place malicious instructions in a Bear note that the agent reads and then follows, leading to unauthorized note modification or data exposure.
- [COMMAND_EXECUTION] (LOW): The skill requires executing the grizzly CLI tool to function. While legitimate for the use case, it provides a vector for command injection if inputs are not sanitized.
- [CREDENTIALS_UNSAFE] (LOW): The skill instructs the user to store their Bear API token in a plaintext file at ~/.config/grizzly/token. This creates a known target for potential data exposure if other skills access the filesystem.
Recommendations
- AI detected serious security threats
Audit Metadata