Bear Share Sync

The skill contains a significant command injection vulnerability in scripts/poll-share-notes.sh and the SKILL.md pipeline example. Raw note content from the Bear app is injected directly into Python command strings using shell variables (e.g., '''$RAW'''), which allows for arbitrary code execution if a note contains triple quotes or malicious Python code. While the stated purpose of syncing notes to a JSON Canvas and BlueBubbles iMessage is plausible, the lack of input sanitization on external data sources poses a high security risk.