BYR CLI Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is purpose-aligned, but it can import BYR login cookies from browser profiles through an external CLI without enough credential-scope or storage detail.
Review this skill before installing if you plan to use browser import or cookie authentication. Make sure you trust the `byr-pt-cli` package, understand what browser/profile it may read, and use dry-run mode before any download write.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used, the CLI may access browser session material and BYR account credentials; a mistake or untrusted CLI package could expose or misuse the account session.
The skill tells the agent to handle login cookies, auth tokens, optional refresh tokens, and browser-profile imports. That is high-impact account/session access, but the artifacts do not clearly bound which browser data is read or where imported credentials are stored.
`byr auth import-cookie --cookie "session_id=...; auth_token=...; refresh_token=..." --json` and `byr auth import-cookie --from-browser <chrome|safari> [--profile <name>] --json`
Only use browser-cookie import if you trust the installed `byr` CLI and understand where it stores credentials. Prefer explicit, user-provided BYR cookies when possible, and use `byr auth logout --json` when finished.
The installed `byr` binary will perform the actual auth, search, and download actions, so its upstream source matters.
The skill depends on an external CLI package rather than included code. This is normal for an instruction-only CLI skill, but users must trust that package, especially because the skill uses it for authentication.
`brew | formula: byr-pt-cli | creates binaries: byr` and `node | package: byr-pt-cli | creates binaries: byr`
Verify the Homebrew tap or npm package source before installing, and avoid using credentials with an untrusted or unexpected `byr` binary.
The agent can create files on disk when the user proceeds with a non-dry-run download.
The skill can write torrent output files to a user-specified path. This is purpose-aligned and the instructions require explicit parameters, dry-run inspection, and output-path confirmation.
Dry run first: `byr download --id <torrent-id> --output <path> --dry-run --json`; Actual write: `byr download --id <torrent-id> --output <path> --json`
Review the dry-run output and confirm the exact output path before allowing an actual download.