ByteRover
PassAudited by ClawScan on May 1, 2026.
Overview
ByteRover is a coherent project-memory skill, but it relies on an external CLI, persistent memory files, and an LLM provider for some operations.
Before installing, make sure you trust the `byterover-cli` npm package. Review what gets stored in `.brv/context-tree/`, avoid curating secrets or sensitive personal information, and only use remote sync when you intend to connect the project memory to an account or remote service.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may query ByteRover context before doing work, even when the user did not explicitly ask for memory lookup.
The instruction broadly encourages use before tasks, which can influence the agent's workflow. It is consistent with the memory-retrieval purpose, but users should notice the breadth.
You MUST use this for gathering contexts before any work.
Use it as a context aid, not as an override of the user's current instructions; skip it for unrelated tasks or when the needed information is already in context.
Installing the CLI gives the external package code execution on the local machine.
The skill depends on an external globally installed npm CLI. This is disclosed and central to the purpose, but users must trust that package.
Install: `npm install -g byterover-cli`
Install only from a trusted npm source, consider pinning a version, and review the package provenance before use.
Stored project rules or decisions may be reused in later tasks, and inaccurate or sensitive entries could influence future work.
The skill creates persistent project memory and uses an LLM provider for retrieval/curation. This is disclosed and purpose-aligned, but persistent context can affect future agent behavior.
Use `brv` to store and retrieve project patterns, decisions, and architectural rules in .brv/context-tree. Uses a configured LLM provider (default: ByteRover, no API key needed) for query and curate operations.
Review `.brv/context-tree/`, avoid storing secrets or transient personal details, and curate memory intentionally.
Using remote sync may connect local project memory to a ByteRover account or remote service.
The skill indicates optional account authentication for remote sync. This is expected for sync functionality, but users should understand when credentials are introduced.
Login is only required for remote sync (`brv vc push`/`brv vc pull`).
Use remote sync only when needed, confirm the destination account/workspace, and avoid syncing sensitive memory unintentionally.