Back to skill

Security audit

research-assistant

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it uses your Bear token to batch-edit tagged Bear notes by adding GIF links and removing the workflow tag.

Install only if the "待整理" tag is reserved for notes you want automatically edited and finalized. Review or back up important notes first, protect the grizzly token file, and avoid using it on sensitive notes if derived topics should not be sent to GIF or web search providers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill performs write operations against Bear notes and removes the '待整理' tag, but it does not prominently warn that it will modify user data or recommend confirmation before making changes. This is dangerous because users may invoke it expecting analysis or augmentation, yet it can silently alter note contents and workflow state, causing unintended data changes or premature finalization.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.