Research Logger
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated research-and-Bear-note purpose, but it can read an unconstrained template path and appears to save an extra copy of the note to /tmp even when Bear logging succeeds.
Review before installing. The core workflow is understandable, but ask the author to fix the /tmp fallback logic and constrain template paths to the workspace. Avoid using sensitive research topics or templates until those issues are corrected.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Research note contents may be left in /tmp unexpectedly, where they can persist outside Bear and may be readable on shared systems depending file permissions.
The message implies the /tmp save happens only on failure, but shell &&/|| left-associativity means the final write runs after a successful Bear create as well.
grizzly create ... && echo "✅ Research note created in Bear!" || echo "❌ Failed ..." && echo "$NOTE_CONTENT" > "/tmp/research_${TOPIC// /_}.md"Change this to an explicit if/else block so the fallback file is written only on failure, and prefer a private workspace directory for fallback saves.
If the template path is set incorrectly or maliciously, local files outside the workspace could be copied into Bear and into the /tmp fallback file.
The script accepts a user-controlled template path and reads it without normalizing or rejecting ../ traversal, even though SKILL.md describes a workspace-relative template.
TEMPLATE_PATH="${3:-notes/research_template.md}" ... TEMPLATE=$(cat "$WORKSPACE/$TEMPLATE_PATH")Only allow templates under a dedicated workspace template directory, reject absolute paths and ../ segments, and show the resolved path for user confirmation.
Running the skill will modify the user's Bear notes, and those notes may sync if Bear sync is enabled.
The skill uses the Bear CLI to create notes and tags under the user's local Bear profile; this is disclosed and central to the skill's purpose.
echo "$NOTE_CONTENT" | grizzly create --title "$TOPIC Research" $BEAR_TAG
Install only if you want the agent to create Bear notes, and review the generated notes and tags after use.
Future upstream changes to grizzly could change what gets installed for the same skill version.
The install pulls the latest version of an external Go module rather than a pinned version.
module: github.com/tylerwince/grizzly/cmd/grizzly@latest
Prefer a pinned module version or verify the upstream grizzly repository before installing.
If those Bear notes are later reused as agent context or research sources, web content could be mistaken for trusted instructions or verified facts.
Untrusted web content from the top search result is inserted into a persistent Bear note.
SUMMARY=$(web_fetch "$LINK1" --max-chars 2000 ...); ... echo "$NOTE_CONTENT" | grizzly create
Treat generated notes as untrusted research drafts, keep source links visible, and review content before reusing it in agent workflows.