research-logger
ReviewAudited by ClawScan on May 11, 2026.
Overview
The skill mostly matches its stated research-to-Bear-note purpose, but it renders untrusted search/user text through unescaped sed commands, which could cause unexpected command execution or failures.
Install only if you are comfortable with web/GIF lookups and automatic Bear note creation. Before using it broadly, the author should fix the unsafe sed-based templating so untrusted search results cannot alter the command script.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed search result, GIF result, or topic string could break note creation or potentially run unexpected local commands while the template is rendered.
Text derived from web search results and user input is embedded directly into sed commands as replacement text. Sed metacharacters, delimiters, or newlines in that content can corrupt the sed script and, on sed implementations with execution commands, may allow injected sed commands.
SEARCH_RESULTS=$(web_search "$TOPIC" 2>/dev/null || echo "{}") ... SUMMARY="${SNIPPET1:-Research results for $TOPIC}" ... -e "s|{summary}|$SUMMARY|g"Use a safer templating method or escape all sed replacement values, including delimiters, ampersands, backslashes, and newlines, before invoking sed. Avoid allowing untrusted text to become part of a sed program.
When invoked, the skill can add persistent notes and tags to the user's Bear app.
The skill creates a Bear note through the grizzly CLI, and tag flags are assembled into an unquoted argument string. Creating the note is purpose-aligned, but it is still a local data mutation users should expect and control.
echo "$CONTENT" | grizzly create --title "$TOPIC Research" $TAG_FLAGS
Run it only for topics you intend to save. Prefer building CLI arguments with arrays and quoting tag values to avoid malformed tags being interpreted unexpectedly.
Research topics may be shared with whatever services back web_search and gifgrep.
The topic is sent to external search and GIF lookup tooling. This is disclosed and purpose-aligned, but the artifact does not define provider boundaries or privacy handling.
SEARCH_RESULTS=$(web_search "$TOPIC" 2>/dev/null || echo "{}") ... GIF_RESULT=$(gifgrep "$TOPIC" 2>/dev/null || echo "")Avoid using sensitive or confidential topics unless you understand and accept the privacy behavior of the configured search and GIF providers.
The behavior may depend on whatever version of the external CLI is installed, and users may not see all required tooling from registry metadata alone.
The documented setup uses an external CLI installed at @latest, while registry metadata does not declare required binaries. This is user-directed and purpose-aligned, but the dependency version/provenance is not pinned in the skill artifacts.
- **grizzly** — Bear CLI (`go install github.com/tylerwince/grizzly/cmd/grizzly@latest`)
Declare all required tools in metadata, pin external dependency versions where possible, and include or document the required template file clearly.