Is bear-notes safe?

The skill metadata specifies an install step that runs 'go install github.com/tylerwince/grizzly/cmd/grizzly@latest', which downloads, compiles, and installs a Go binary from a third-party GitHub repository. This executes arbitrary code from an external source during skill installation. If the upstream repository is compromised, the installed binary could be malicious.

The skill instructs the agent to use --token-file ~/.config/grizzly/token for multiple commands. While this is necessary for Bear API authentication, it establishes a pattern where the agent reads credential files from the user's home directory. A prompt injection from another source could leverage this established pattern to read other credential files.

The skill teaches the agent to create notes with arbitrary content via piped input (echo "content" | grizzly create). A compromised or manipulated agent could use this as a data exfiltration channel by writing sensitive data into Bear notes, which sync to iCloud and are accessible on other devices.

The OpenClaw runtime (not the skill itself) accessed ~/.env, ~/.aws/credentials, ~/.openclaw/openclaw.json, ~/.profile, ~/.bashrc, and auth-profiles.json during the install phase. These are standard runtime bootstrap operations, not skill-initiated, but are noted for completeness.

The install directive uses @latest for the grizzly binary rather than pinning to a specific version or commit hash. This means every installation could pull different code, making it impossible to audit the exact binary that will be installed.

The skill is explicitly macOS-only (os: [darwin]) and requires Bear.app to be running. The grizzly CLI communicates with Bear via x-callback-urls, a macOS IPC mechanism. This limits the attack surface to macOS users with Bear installed.