Bear Notes Hardened
ReviewAudited by ClawScan on May 3, 2026.
Overview
This is a coherent Bear Notes integration, but it can read or change private notes using grizzly and a Bear token, so users should install it only if they want that access.
Install this skill only if you are comfortable letting the agent use grizzly to access and update your Bear notes. Verify the grizzly CLI source, keep the Bear token secret, avoid bulk note reads, and review note-changing actions before they run.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can use the configured Bear token for supported Bear note operations, so mishandling the token could expose access to private notes.
The skill uses a local Bear API token for token-gated Bear operations. This is expected for the integration and the skill instructs not to expose it, but it is still credential access.
For some operations (add-text, tags, open-note --selected), a Bear app token (stored in `~/.config/grizzly/token`)
Keep the token file private, do not ask the agent to print it, and rotate the Bear token if you suspect it was exposed.
A mistaken or overly broad request could create or append content to the wrong Bear note.
The documented workflows can create and append Bear notes. This is central to the skill's purpose, but it means incorrect note IDs or ambiguous user requests could alter local notes.
echo "Note content here" | grizzly create --title "My Note" --tag work ... grizzly add-text --id "NOTE_ID" --mode append --token-file ~/.config/grizzly/token
Review note titles, IDs, and proposed content before allowing note-changing operations; use `--dry-run` when appropriate.
Future upstream changes to grizzly could affect how Bear note data or tokens are handled.
The install mechanism fetches the grizzly CLI from an external Go module at the moving `@latest` version. This is expected for the skill, but the exact installed code can change over time.
github.com/tylerwince/grizzly/cmd/grizzly@latest
Prefer pinning grizzly to a reviewed version if your environment supports it, and review the upstream project before installation.
Private note content may be shown to or processed by the agent during requested read/search tasks.
Reading notes through callbacks can bring private Bear note content into the agent's working context. The skill includes guardrails against bulk dumping and network transmission, making this purpose-aligned but sensitive.
grizzly open-note --id "NOTE_ID" --enable-callback --json
Limit access to the specific notes needed, avoid bulk reads, and do not use this skill on notes containing secrets unless necessary.