bear-notes
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
grizzlycommand-line utility from an external GitHub repository (github.com/tylerwince/grizzly) using thego installcommand during the skill's setup phase.\n- [COMMAND_EXECUTION]: The skill executes shell commands using thegrizzlybinary to interact with the Bear application. This includes creating, searching, and reading notes on the local system.\n- [CREDENTIALS_UNSAFE]: The skill manages a Bear API token stored in a local configuration file (~/.config/grizzly/token). The agent is instructed to read this file to authenticate operations with the Bear application.\n- [DATA_EXFILTRATION]: The skill extracts note content and metadata (such as tags and note IDs) from the local Bear application and provides it to the AI agent's context.\n- [PROMPT_INJECTION]: The skill processes note data which may contain untrusted instructions, presenting a surface for indirect prompt injection.\n - Ingestion points: Note content and tags are read via
grizzly open-noteandgrizzly tagsas described inSKILL.md.\n - Boundary markers: There are no explicit boundary markers or instructions to differentiate note content from agent instructions.\n
- Capability inventory: The skill has the capability to write to the Bear application using
grizzly createandgrizzly add-textas seen inSKILL.md.\n - Sanitization: No sanitization or validation of the note content is performed before it is processed by the agent.
Audit Metadata