Bear Notes

ReviewAudited by ClawScan on May 1, 2026.

Overview

The skill is coherent and purpose-aligned, but it can use an external CLI and optional Bear token to read or change private Bear notes.

This appears safe for its stated purpose if you trust the grizzly CLI and are comfortable letting the agent read or modify Bear notes. Protect the Bear token file, consider pinning the grizzly version, and avoid exposing notes that contain secrets unless necessary.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

If invoked, the agent can create or modify Bear notes according to the commands it runs.

Why it was flagged

The skill documents CLI commands that create and append to persistent Bear notes, which is expected for this skill but is still mutation authority.

Skill content

echo "Note content here" | grizzly create --title "My Note" --tag work ... grizzly add-text --id "NOTE_ID" --mode append --token-file ~/.config/grizzly/token

Recommendation

Review note-changing requests before allowing them, and use `--dry-run` or `--print-url` when you want to preview a grizzly action.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Anyone or any process that can read or misuse the token file may be able to perform Bear API actions available to that token.

Why it was flagged

The skill uses a Bear API token for some Bear operations. This is purpose-aligned and disclosed, but the token grants access to Bear actions.

Skill content

For some operations (add-text, tags, open-note --selected), a Bear app token (stored in `~/.config/grizzly/token`)

Recommendation

Store the token file with appropriate local permissions, avoid sharing it, and remove or rotate the token if you no longer use the skill.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Future upstream changes to the grizzly module could change the behavior of the installed CLI.

Why it was flagged

The required CLI is installed from an external Go module using the moving `@latest` version.

Skill content

go | module: github.com/tylerwince/grizzly/cmd/grizzly@latest | creates binaries: grizzly

Recommendation

Prefer a pinned grizzly version if reproducibility matters, and install only from a source you trust.

Medium

#ASI06: Memory and Context Poisoning

What this means

Private note content may be shown to or processed by the agent when you ask it to read or search notes.

Why it was flagged

The skill can read Bear note data back into the agent context. This is central to the skill, but Bear notes may contain sensitive or instruction-like content.

Skill content

grizzly open-note --id "NOTE_ID" --enable-callback --json ... Use `--enable-callback` when you need to read data back from Bear

Recommendation

Avoid asking the skill to read notes containing secrets unless you are comfortable exposing that content to the agent session.