ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ByteRover

You MUST use this for gathering contexts before any work. This is a Knowledge management for AI agents. Use `brv` to store and retrieve project patterns, dec...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
105 · 31.4k · 186 current installs · 201 all-time installs
by@byteroverinc
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (knowledge management for AI agents) lines up with the SKILL.md: it uses a brv CLI and stores human-readable Markdown under .brv/context-tree. The skill does not request unrelated credentials or config paths. However, the skill claims a default 'ByteRover' LLM provider (no API key) which implies remote LLM usage; that capability should be clearly justified given the claimed local storage focus.
!
Instruction Scope
SKILL.md instructs the agent to run brv query/curate and to read up to 5 project-scoped files (via -f). That is mostly scoped to the project. However the doc contains contradictory statements about data flow: it says 'No authentication needed' and elsewhere 'No data is sent to ByteRover servers unless you explicitly run brv push' while also saying query/curate use a configured LLM provider (default: ByteRover). This ambiguity affects whether project contents will be sent to a remote service when using query/curate. The file-access limits are explicit, which is good, but the ambiguous network/data-flow instruction is a meaningful scope creep risk.
Install Mechanism
The skill bundle has no install spec (instruction-only), but the SKILL.md tells users/agents to run 'npm install -g byterover-cli'. Installing a global npm package pulls code from the npm registry and may run install scripts — a moderate-risk action. The skill provides no source/homepage or provenance for that package in metadata, increasing the risk.
Credentials
The skill declares no required environment variables or credentials. Optional workflows do instruct connecting other LLM providers (OpenAI, Anthropic) which legitimately require API keys; those are optional and proportional. Still, the 'default: ByteRover, no API key needed' claim and lack of provider hosting details are concerning from a privacy perspective.
Persistence & Privilege
The skill does not request always:true and does not demand system-wide config changes. It writes to the project-scoped .brv/context-tree directory (expected for a knowledge manager). Cloud sync (brv push/pull) is opt-in and requires explicit login per the docs — but confirm actual behavior before using.
What to consider before installing
This skill appears to be a local knowledge manager that uses a 'brv' CLI, but there are two things you should verify before installing or using it: 1) Provenance and package safety: SKILL.md tells you to run 'npm install -g byterover-cli' but the registry metadata lists no source or homepage. Before installing globally, inspect the byterover-cli package on the npm registry and review its repository and postinstall scripts (or prefer installing in an isolated environment or container). If you can't find an official source or repo, avoid installing. 2) Data-exfiltration / privacy ambiguity: The doc claims a default ByteRover LLM provider (no API key) yet also states 'No data is sent to ByteRover servers unless you explicitly run brv push.' Those statements contradict each other: running 'brv query'/'brv curate' may send project files or queries to whichever LLM provider is configured. Confirm the provider's implementation (local vs remote) and whether queries/curations are sent over the network. If you will store sensitive code or secrets, either a) configure a known local LLM provider or a trusted provider with clear privacy terms, or b) avoid using query/curate for sensitive content. Operational recommendations: only curate non-sensitive info, add .brv/context-tree to your review/gitignore policy as appropriate, limit -f file selections, test network traffic in a sandbox, and require a verifiable package homepage/repo before global installation. If you need more confidence, ask the author/package for source code or a trusted release link and re-run the evaluation with that information.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.1.0
Download zip
latestvk97dvsgd3gp082ztgz9p1phj6s8331mw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ByteRover Knowledge Management

Use the brv CLI to manage your project's long-term memory. Install: npm install -g byterover-cli Knowledge is stored in .brv/context-tree/ as human-readable Markdown files.

No authentication needed. brv query and brv curate work out of the box. Login is only required for cloud sync (push/pull/space) — ignore those if you don't need cloud features.

Workflow

  1. Before Thinking: Run brv query to understand existing patterns.
  2. After Implementing: Run brv curate to save new patterns/decisions.

Commands

1. Query Knowledge

Overview: Retrieve relevant context from your project's knowledge base. Uses a configured LLM provider to synthesize answers from .brv/context-tree/ content.

Use this skill when:

  • The user wants you to recall something
  • Your context does not contain information you need
  • You need to recall your capabilities or past actions
  • Before performing any action, to check for relevant rules, criteria, or preferences

Do NOT use this skill when:

  • The information is already present in your current context
  • The query is about general knowledge, not stored memory
brv query "How is authentication implemented?"

2. Curate Context

Overview: Analyze and save knowledge to the local knowledge base. Uses a configured LLM provider to categorize and structure the context you provide.

Use this skill when:

  • The user wants you to remember something
  • The user intentionally curates memory or knowledge
  • There are meaningful memories from user interactions that should be persisted
  • There are important facts about what you do, what you know, or what decisions and actions you have taken

Do NOT use this skill when:

  • The information is already stored and unchanged
  • The information is transient or only relevant to the current task, or just general knowledge
brv curate "Auth uses JWT with 24h expiry. Tokens stored in httpOnly cookies via authMiddleware.ts"

Include source files (max 5, project-scoped only):

brv curate "Authentication middleware details" -f src/middleware/auth.ts

View curate history: to check past curations

  • Show recent entries (last 10)
brv curate view
  • Full detail for a specific entry: all files and operations performed (logId is printed by brv curate on completion, e.g. cur-1739700001000)
brv curate view cur-1739700001000
  • List entries with file operations visible (no logId needed)
brv curate view detail
  • Filter by time and status
brv curate view --since 1h --status completed
  • For all filter options
brv curate view --help

3. LLM Provider Setup

brv query and brv curate require a configured LLM provider. Connect the default ByteRover provider (no API key needed):

brv providers connect byterover

To use a different provider (e.g., OpenAI, Anthropic, Google), list available options and connect with your own API key:

brv providers list
brv providers connect openai --api-key sk-xxx --model gpt-4.1

4. Project Locations

Overview: List registered projects and their context tree paths. Returns project metadata including initialization status and active state. Use -f json for machine-readable output.

Use this when:

  • You need to find a project's context tree path
  • You need to check which projects are registered
  • You need to verify if a project is initialized

Do NOT use this when:

  • You already know the project path from your current context
  • You need project content rather than metadata — use brv query instead
brv locations -f json

JSON fields: projectPath, contextTreePath, isCurrent, isActive, isInitialized.

5. Cloud Sync (Optional)

Overview: Sync your local knowledge with a team via ByteRover's cloud service. Requires ByteRover authentication.

Setup steps:

  1. Log in: Get an API key from your ByteRover account and authenticate:
brv login --api-key sample-key-string
  1. List available spaces:
brv space list

Sample output:

brv space list
1. human-resources-team (team)
   - a-department (space)
   - b-department (space)
2. marketing-team (team)
   - c-department (space)
   - d-department (space)
  1. Connect to a space:
brv space switch --team human-resources-team --name a-department

Cloud sync commands: Once connected, brv push and brv pull sync with that space.

# Pull team updates
brv pull

# Push local changes
brv push

Switching spaces:

  • Push local changes first (brv push) — switching is blocked if unsaved changes exist.
  • Then switch:
brv space switch --team marketing-team --name d-department
  • The switch automatically pulls context from the new space.

Data Handling

Storage: All knowledge is stored as Markdown files in .brv/context-tree/ within the project directory. Files are human-readable and version-controllable.

File access: The -f flag on brv curate reads files from the current project directory only. Paths outside the project root are rejected. Maximum 5 files per command, text and document formats only.

LLM usage: brv query and brv curate send context to a configured LLM provider for processing. The LLM sees the query or curate text and any included file contents. No data is sent to ByteRover servers unless you explicitly run brv push.

Cloud sync: brv push and brv pull require authentication (brv login) and send knowledge to ByteRover's cloud service. All other commands operate without ByteRover authentication.

Error Handling

User Action Required: You MUST show this troubleshooting guide to users when errors occur.

"Not authenticated" | Run brv login --help for more details. "No provider connected" | Run brv providers connect byterover (free, no key needed). "Connection failed" / "Instance crashed" | User should kill brv process. "Token has expired" / "Token is invalid" | Run brv login again to re-authenticate. "Billing error" / "Rate limit exceeded" | User should check account credits or wait before retrying.

Agent-Fixable Errors: You MUST handle these errors gracefully and retry the command after fixing.

"Missing required argument(s)." | Run brv <command> --help to see usage instructions. "Maximum 5 files allowed" | Reduce to 5 or fewer -f flags per curate. "File does not exist" | Verify path with ls, use relative paths from project root. "File type not supported" | Only text, image, PDF, and office files are supported.

Quick Diagnosis

Run brv status to check authentication, project, and provider state.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…