Trust Assessment
bear-notes received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned Go dependency allows arbitrary code execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 18, 2026 (commit b62bd290). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned Go dependency allows arbitrary code execution The skill's manifest specifies the installation of the `grizzly` Go module using `@latest`. This practice does not pin the dependency to a specific version, meaning that any future changes (including malicious ones) to the `github.com/tylerwince/grizzly` repository could be automatically installed and executed without explicit review. This introduces a significant supply chain risk, as a compromised upstream repository could lead to arbitrary code execution on the host system. Pin the Go module dependency to a specific, immutable version (e.g., a commit hash or a semantic version tag like `@v1.2.3`) to ensure deterministic and secure installations. Regularly review and update the pinned version. | Static | SKILL.md:1 |
Scan History
Embed Code
[](https://skillshield.io/report/118ecfeceec4418b)
Powered by SkillShield