ByteRover - Headless
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent ByteRover CLI guide, but it uses a ByteRover API key and can persist or sync selected project context to cloud, so users should approve what is shared.
Before installing, confirm you trust the ByteRover CLI, use a dedicated ByteRover API key, and approve any push or pull operation. Do not curate or sync secrets, credentials, or sensitive project files unless you intend them to be stored in ByteRover.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone installing this should understand that the agent may handle a ByteRover API key for the user’s account.
The skill instructs use of a ByteRover API key for login. This is expected for the service, but it grants account access and is not declared as a primary credential in the registry metadata.
ask them to provide: 1. **API key** - for authentication ... brv login --api-key <key>
Use a dedicated, revocable ByteRover key with the least needed access, and do not provide unrelated credentials.
Private implementation details or file contents could become part of a persistent knowledge base and later be reused or synced.
The skill stores project knowledge, can include selected file content, and can sync the context tree to cloud storage. This is aligned with the stated purpose but can persist sensitive project details.
ByteRover maintains a context tree that stores patterns, decisions, and implementation details about a project ... brv curate ... --files src/middleware/auth.ts ... brv push ... ByteRover cloud storage
Review curated content before syncing, avoid secrets or confidential files, and use trusted ByteRover teams/spaces.
If the permission step is skipped, context changes could be pushed or pulled without the user noticing the CLI prompt.
Push and pull can mutate or sync the context tree. The instructions include a user-permission step, but the actual headless push command bypasses the CLI confirmation prompt.
For pull and push operations, you should ask for user permission first ... For push operations, always use `-y` to skip confirmation in headless mode.
Require clear user approval before every push, pull, or force re-initialization, especially when project context may be uploaded or overwritten.
The security of actual operations depends on the installed `brv` CLI package.
The skill depends on an external ByteRover CLI package rather than included code. This is normal for a CLI wrapper, but the reviewed artifacts do not contain the package implementation.
"requires":{"bins":["brv"]},"install":[{"id":"npm","kind":"node","package":"@byterover/cli","bins":["brv"]Install the CLI only from the official ByteRover package/source and keep it updated.