Back to skill
Skillv1.0.0
ClawScan security
MH bear-notes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 1:14 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is coherent: it documents using the grizzly CLI to control the Bear app, requests the grizzly binary (with an optional Go install), and only needs the Bear API token stored locally — nothing requested appears unrelated to the stated purpose.
- Guidance
- This skill appears coherent, but take these precautions before installing: - Review the grizzly GitHub repo and consider pinning the module to a specific release rather than '@latest' to avoid unexpected upstream changes. - The Bear API token (~/.config/grizzly/token) is sensitive: create it only from the Bear app UI, store it with restrictive file permissions, and do not expose it to remote endpoints. - Be cautious with GRIZZLY_CALLBACK_URL: the callback mechanism is needed to read note contents, but if you configure the callback URL to a remote host it could transmit note data off your machine. Prefer localhost callbacks unless you explicitly need remote delivery. - Verify the built 'grizzly' binary (audit source or checksum) if you care about supply-chain/trust. - This skill is macOS-only and requires the Bear app to be installed and running. If you are comfortable with these trade-offs, the skill's requirements and instructions match its stated purpose.
- Findings
[no_regex_findings] expected: This is an instruction-only skill with no code files, so the regex-based scanner had nothing to analyze. That's expected for a CLI-invocation skill.
Review Dimensions
- Purpose & Capability
- okName/description match the requirements: the skill requires the 'grizzly' binary and (optionally) installs it from the grizzly Go module. All declared requirements (macOS/darwin, grizzly binary) are appropriate for managing Bear notes.
- Instruction Scope
- noteSKILL.md confines actions to running grizzly commands and storing/reading a Bear API token at ~/.config/grizzly/token. One relevant risk to note: grizzly supports x-callback-style operations that send responses to a callback URL (GRIZZLY_CALLBACK_URL). If that URL is set to a remote endpoint, note contents or IDs could be sent off-host. The guidance in the skill uses a localhost callback by default, which is appropriate; users should avoid setting callback_url to an external host unless they intend remote delivery.
- Install Mechanism
- noteInstall spec uses 'go' to fetch github.com/tylerwince/grizzly/cmd/grizzly@latest and build a 'grizzly' binary. This is an expected, traceable source on GitHub, but '@latest' is mutable — consider pinning to a specific release/tag or reviewing the repo before building to reduce supply-chain risk.
- Credentials
- okThe skill declares no required environment variables and only relies on the Bear API token (stored in ~/.config/grizzly/token) and optional grizzly configuration (GRIZZLY_TOKEN_FILE, GRIZZLY_CALLBACK_URL, etc.). These are proportional to the task; the token is sensitive and should be protected (file permissions, avoid exporting it to remote callback URLs).
- Persistence & Privilege
- okThe skill does not request 'always: true' or other elevated persistence. Installing the grizzly binary writes a user-level binary; the skill does not modify other skills or system-wide agent settings. Runtime behavior (callbacks) is controlled by grizzly and user configuration.