byteplan-api

What to consider before installing/using this skill: - Inconsistency: SKILL.md says credentials go to ~/.byteplan/.env but the code preferentially reads/writes a .env in the current working directory (cwd) or a relative skill path. That can accidentally overwrite or read unrelated projects' .env files containing secrets. - Credential persistence: The skill will ask for your phone/password and persist BP_USER/BP_PASSWORD and tokens unencrypted to a .env file. If you don't want credentials on disk, don't use the automatic save. - Dotenv behavior: The code imports 'dotenv/config', which auto-loads any .env in the working dir into process.env at runtime — this may expose other project secrets to the skill code. - Mitigations: - Inspect the code locally (getEnvPath, saveCredentials, login/loginWithEnv) and, if needed, modify getEnvPath to use an explicit path (e.g., path.join(os.homedir(), '.byteplan', '.env')) and ensure proper file permissions. - Run the skill in an isolated environment (container or dedicated directory) so it cannot touch unrelated .env files. - If you permit persistence, pre-create ~/.byteplan/.env with correct permissions and ensure working directory does not contain a .env you care about. - Verify the BASIC_AUTH header value and overall network endpoints (dev/uat) against a trusted source; ask the publisher for a homepage/source repository (none provided) and a maintainer identity before trusting credentials. - If you cannot verify or adjust the code, treat this skill as risky for production use and avoid storing real credentials with it.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.