Bear Notes.Old

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill appears purpose-aligned, but users should protect the Bear API token it asks them to store locally.

Before installing, treat the Bear API token like a password. Store it only on machines you trust, restrict file permissions on ~/.config/grizzly and ~/.config/grizzly/token, avoid pasting the token into commands that may be saved in shell history, and revoke or rotate the token if you no longer use the skill.

SkillSpector (1)

By NVIDIA

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill instructs users to copy a Bear API token into a plaintext file under ~/.config/grizzly/token without any warning about credential sensitivity, file permissions, or risk of disclosure through shell history, backups, or multi-user systems. While this is a common local-token pattern, documenting it without safe-handling guidance can lead to unintended exposure of a credential that enables Bear API operations.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal