ByteRover
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: byterover Version: 3.3.0 The 'byterover' skill bundle describes a comprehensive knowledge management system for AI agents, utilizing a CLI tool (`brv`) to manage project context via local Markdown files and Git-based version control. While the skill requires the installation of an external package (`byterover-cli`) and handles sensitive operations such as LLM API key configuration and remote data synchronization to `byterover.dev`, these capabilities are explicitly documented and directly support the stated purpose of the tool. No evidence of malicious intent, unauthorized data exfiltration, or harmful prompt injection was found in SKILL.md or _meta.json.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may query ByteRover context before doing work, even when the user did not explicitly ask for memory lookup.
The instruction broadly encourages use before tasks, which can influence the agent's workflow. It is consistent with the memory-retrieval purpose, but users should notice the breadth.
You MUST use this for gathering contexts before any work.
Use it as a context aid, not as an override of the user's current instructions; skip it for unrelated tasks or when the needed information is already in context.
Installing the CLI gives the external package code execution on the local machine.
The skill depends on an external globally installed npm CLI. This is disclosed and central to the purpose, but users must trust that package.
Install: `npm install -g byterover-cli`
Install only from a trusted npm source, consider pinning a version, and review the package provenance before use.
Stored project rules or decisions may be reused in later tasks, and inaccurate or sensitive entries could influence future work.
The skill creates persistent project memory and uses an LLM provider for retrieval/curation. This is disclosed and purpose-aligned, but persistent context can affect future agent behavior.
Use `brv` to store and retrieve project patterns, decisions, and architectural rules in .brv/context-tree. Uses a configured LLM provider (default: ByteRover, no API key needed) for query and curate operations.
Review `.brv/context-tree/`, avoid storing secrets or transient personal details, and curate memory intentionally.
Using remote sync may connect local project memory to a ByteRover account or remote service.
The skill indicates optional account authentication for remote sync. This is expected for sync functionality, but users should understand when credentials are introduced.
Login is only required for remote sync (`brv vc push`/`brv vc pull`).
Use remote sync only when needed, confirm the destination account/workspace, and avoid syncing sensitive memory unintentionally.