bear-notes

Pass

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill installs the grizzly command-line utility from an external GitHub repository (github.com/tylerwince/grizzly) using the go install command during the skill's setup phase.\n- [COMMAND_EXECUTION]: The skill executes shell commands using the grizzly binary to interact with the Bear application. This includes creating, searching, and reading notes on the local system.\n- [CREDENTIALS_UNSAFE]: The skill manages a Bear API token stored in a local configuration file (~/.config/grizzly/token). The agent is instructed to read this file to authenticate operations with the Bear application.\n- [DATA_EXFILTRATION]: The skill extracts note content and metadata (such as tags and note IDs) from the local Bear application and provides it to the AI agent's context.\n- [PROMPT_INJECTION]: The skill processes note data which may contain untrusted instructions, presenting a surface for indirect prompt injection.\n
  • Ingestion points: Note content and tags are read via grizzly open-note and grizzly tags as described in SKILL.md.\n
  • Boundary markers: There are no explicit boundary markers or instructions to differentiate note content from agent instructions.\n
  • Capability inventory: The skill has the capability to write to the Bear application using grizzly create and grizzly add-text as seen in SKILL.md.\n
  • Sanitization: No sanitization or validation of the note content is performed before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — bear-notes