bear-notes

SUSPICIOUS. The skill's capabilities match its stated Bear-notes purpose and its data flows are mostly consistent with Bear's documented x-callback-url API, but it relies on an unpinned third-party CLI from a personal GitHub repo and forwards a Bear token to that tool. This is not clearly malicious, but the install trust and credential-forwarding footprint are broader than an official Bear integration would be.