Back to skill

Security audit

Bear GIF Enricher

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent, but it can persistently edit Bear notes in bulk and its completion-tag step appears to create a new Bear note instead of updating the original.

Install only after reviewing the scripts and testing on backed-up or disposable Bear notes. Avoid using it on confidential notes, because note-derived search terms can leave your machine. The retagging command should be fixed or verified before batch use, since the current script appears able to create extra notes instead of marking the original note as done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the agent to execute shell scripts (`scripts/process_notes.sh` and `scripts/enrich_note.sh`) but does not declare corresponding permissions. Hidden or undeclared execution capability is dangerous because users and policy layers may not realize the skill can run local commands that read and modify Bear notes and access local tokens/API keys.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior understates or misstates what the skill does: it not only enriches notes, but also changes tags/state and may create content/state transitions not clearly disclosed. Description-behavior mismatch is dangerous because users may authorize a seemingly harmless illustration task without understanding that their notes will be modified and reclassified, which can cause data integrity issues or unintended workflow changes at scale.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script’s post-processing behavior exceeds straightforward note enrichment by mutating workflow state via tag changes. In this skill context, changing tags is security-relevant because it can silently alter note organization and cause automation pipelines or users to treat a note as fully processed when it may not be.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code intended to add a completion tag instead invokes `grizzly create`, which creates a new Bear item instead of modifying the target note. This can duplicate note titles, create misleading records, and falsely indicate completion while leaving the original note unchanged or only partially modified.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comment claims the script will add a new tag to the note, but the implementation creates a separate note instead. This mismatch is dangerous because reviewers and users may trust the comment and miss that the script performs a broader write action than described, leading to unintended data creation and workflow corruption.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description does not warn that it modifies existing Bear notes by appending GIFs and retagging them, potentially across many notes. Undisclosed content modification is risky because users may trigger the skill expecting analysis-only behavior and instead lose workflow state or alter notes in bulk without informed consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The workflow says it extracts topic phrases from note content and queries Tenor or Giphy, but it does not warn that note-derived content is sent to third-party services. This creates a real data exposure risk, especially for research notes that may contain proprietary, sensitive, or personal information; even extracted phrases can leak confidential topics to external providers.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script derives a topic from note content and sends it to external GIF search providers without any user confirmation or disclosure. Even though only a title or first line is transmitted, research notes can contain sensitive subjects, so this leaks potentially private metadata to third parties outside Bear.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.