Skillv1.0.0

ClawScan security

Bear Notes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:20 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (using grizzly to manage Bear notes) but its published metadata omits required binaries/install and environment details; installing the third‑party grizzly tool via `go` and storing a Bear token in a file are coherent for functionality but the metadata/instruction mismatches and install-from-GitHub raise moderate risk.
Guidance: This skill appears to do what it says (control Bear via the grizzly CLI), but there are metadata inconsistencies and an install-from-GitHub step to be aware of. Before installing: - Confirm you trust the grizzly repository and its maintainer (github.com/tylerwince/grizzly). Review the source or the release used rather than blindly installing '@latest'. - Expect to provide a Bear API token; store it with restrictive file permissions (chmod 600) and consider using a dedicated token with limited scope if available. - Be aware grizzly may open a local callback URL (localhost) to receive data — ensure that port is not exposed and that you understand what will listen on it. - Ask the skill author/platform owner to correct the published metadata to declare the required binary and env vars, and to provide an explicit, versioned install step rather than 'latest'. If you cannot verify the repository or are uncomfortable granting access to a Bear token, avoid installing the CLI and instead interact with Bear manually.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes exactly what the skill claims to do (use the grizzly CLI to create/read/manage Bear notes). However the registry metadata shown to the platform omitted the requirement for the 'grizzly' binary and a token file; the SKILL.md includes a clawdbot metadata block that does declare a go install for grizzly. This mismatch between published metadata and the runtime instructions is inconsistent and should be corrected.
Instruction Scope: noteRuntime instructions stay within the Bear/grizzly scope: they use the grizzly CLI, reference Bear's API token (in ~/.config/grizzly/token), and local callback URLs (localhost). There is no instruction to read unrelated system files. Note: the agent (or user following the instructions) will need access to the token file and possibly to .grizzly.toml in the home directory; those are sensitive and must be protected.
Install Mechanism: noteThe registry metadata said 'no install spec', but SKILL.md contains metadata to install grizzly via 'go' (github.com/tylerwince/grizzly/cmd/grizzly@latest). Installing a third-party Go module from GitHub is a common but non-trivial action: it fetches and builds remote code (moderate risk). The install source is a GitHub repo (traceable) rather than an opaque URL, which is better, but 'latest' can change over time and could pull malicious changes if the repository is compromised.
Credentials: concernThe skill in the registry declared no required env vars, yet SKILL.md documents environment variables (GRIZZLY_TOKEN_FILE, GRIZZLY_CALLBACK_URL, GRIZZLY_TIMEOUT) and requires a Bear API token stored in ~/.config/grizzly/token for several operations. This is proportionate to the stated purpose (Bear API needs a token) but the platform metadata should declare that a credential/file is required. Also, storing tokens in a file means the agent or any process running as the user could read it—handle permissions carefully.
Persistence & Privilege: okThe skill does not request elevated persistence (always: false). It is user-invocable and allows model invocation (platform default). Nothing in the skill attempts to modify other skills or request system-wide configuration changes.