ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byterover 2.0.0

You MUST use this for gathering contexts before any work. This is a Knowledge management for AI agents. Use `brv` to store and retrieve project patterns, dec...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 32 · 0 current installs · 0 all-time installs
by@qxbcn
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (ByteRover knowledge management) align with the SKILL.md: it instructs the agent to use the 'brv' CLI to query and curate a local .brv/context-tree. There are no declared env vars, binaries, or install scripts in the skill bundle itself — the README tells users to install 'npm install -g byterover-cli', which is consistent with the stated purpose. Minor inconsistency: registry metadata in the package header differs from the _meta.json ownerId/slug/version fields, which is unexpected and worth checking (may indicate packaging or release metadata issues).
!
Instruction Scope
The instructions explicitly tell the agent to run brv CLI commands that read and write project files (brv curate can include up to 5 files from the project). Those commands will send data to whatever LLM provider is configured (brv query/curate), and optionally to ByteRover cloud when the user runs brv push/pull after brv login. This behavior is coherent with the purpose but has privacy implications: the agent may read project files and transmit them to external LLMs. The SKILL.md asserts that -f rejects files outside project root and that cloud sync only occurs with explicit push, but those are claims by the tool — the skill itself does not enforce them.
Install Mechanism
There is no install spec in the skill bundle (instruction-only). The SKILL.md recommends installing the CLI via npm (npm install -g byterover-cli). Installing from npm is a normal, traceable path but does pull third-party code onto the host; the skill bundle itself does not include or pin the package or a checksum. No downloads from unknown URLs or archive extracts are present in the skill bundle.
Credentials
The skill declares no required env vars or credentials. The instructions do show optional flows that require API keys: connecting third-party LLM providers (e.g., openai --api-key) or ByteRover cloud login for push/pull. Those optional credentials are proportional to the optional cloud/third-party provider features and are not requested by the skill bundle itself.
Persistence & Privilege
The skill is user-invocable and does not set always: true. It does not claim or request persistent elevated privileges or attempt to modify other skills or system-wide agent settings. The guidance 'You MUST use this for gathering contexts before any work' is prescriptive but is an instruction-level policy, not an entitlement or background privilege.
Assessment
This skill is coherent for local knowledge management, but take these precautions before installing/using it: 1) Verify the byterover-cli npm package (author, versions, recent changes) before running npm install -g; prefer installing in a controlled environment or using a pinned version. 2) Be aware brv curate can read up to 5 project files and brv query/curate will send content to whichever LLM provider you configure — do not include secrets or private data unless you trust the provider. 3) Avoid running brv push or logging into ByteRover cloud unless you intend to store project knowledge on their servers; check the cloud privacy/terms. 4) Confirm the metadata mismatch (registry header vs _meta.json owner/version) with the publisher — it's a packaging inconsistency that should be resolved. 5) If you need strong data controls, run the CLI locally with a local LLM provider or in an isolated workspace and ensure .brv/context-tree is included/excluded from version control per your security policy.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk978x6ae7gnprdgqwkmcysx1qx830qx2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ByteRover Knowledge Management

Use the brv CLI to manage your project's long-term memory. Install: npm install -g byterover-cli Knowledge is stored in .brv/context-tree/ as human-readable Markdown files.

No authentication needed. brv query and brv curate work out of the box. Login is only required for cloud sync (push/pull/space) — ignore those if you don't need cloud features.

Workflow

  1. Before Thinking: Run brv query to understand existing patterns.
  2. After Implementing: Run brv curate to save new patterns/decisions.

Commands

1. Query Knowledge

Overview: Retrieve relevant context from your project's knowledge base. Uses a configured LLM provider to synthesize answers from .brv/context-tree/ content.

Use this skill when:

  • The user wants you to recall something
  • Your context does not contain information you need
  • You need to recall your capabilities or past actions
  • Before performing any action, to check for relevant rules, criteria, or preferences

Do NOT use this skill when:

  • The information is already present in your current context
  • The query is about general knowledge, not stored memory
brv query "How is authentication implemented?"

2. Curate Context

Overview: Analyze and save knowledge to the local knowledge base. Uses a configured LLM provider to categorize and structure the context you provide.

Use this skill when:

  • The user wants you to remember something
  • The user intentionally curates memory or knowledge
  • There are meaningful memories from user interactions that should be persisted
  • There are important facts about what you do, what you know, or what decisions and actions you have taken

Do NOT use this skill when:

  • The information is already stored and unchanged
  • The information is transient or only relevant to the current task, or just general knowledge
brv curate "Auth uses JWT with 24h expiry. Tokens stored in httpOnly cookies via authMiddleware.ts"

Include source files (max 5, project-scoped only):

brv curate "Authentication middleware details" -f src/middleware/auth.ts

View curate history: to check past curations

  • Show recent entries (last 10)
brv curate view
  • Full detail for a specific entry: all files and operations performed (logId is printed by brv curate on completion, e.g. cur-1739700001000)
brv curate view cur-1739700001000
  • List entries with file operations visible (no logId needed)
brv curate view detail
  • Filter by time and status
brv curate view --since 1h --status completed
  • For all filter options
brv curate view --help

3. LLM Provider Setup

brv query and brv curate require a configured LLM provider. Connect the default ByteRover provider (no API key needed):

brv providers connect byterover

To use a different provider (e.g., OpenAI, Anthropic, Google), list available options and connect with your own API key:

brv providers list
brv providers connect openai --api-key sk-xxx --model gpt-4.1

4. Cloud Sync (Optional)

Overview: Sync your local knowledge with a team via ByteRover's cloud service. Requires ByteRover authentication.

Setup steps:

  1. Log in: Get an API key from your ByteRover account and authenticate:
brv login --api-key sample-key-string
  1. List available spaces:
brv space list

Sample output:

brv space list
1. human-resources-team (team)
   - a-department (space)
   - b-department (space)
2. marketing-team (team)
   - c-department (space)
   - d-department (space)
  1. Connect to a space:
brv space switch --team human-resources-team --name a-department

Cloud sync commands: Once connected, brv push and brv pull sync with that space.

# Pull team updates
brv pull

# Push local changes
brv push

Switching spaces:

  • Push local changes first (brv push) — switching is blocked if unsaved changes exist.
  • Then switch:
brv space switch --team marketing-team --name d-department
  • The switch automatically pulls context from the new space.

Data Handling

Storage: All knowledge is stored as Markdown files in .brv/context-tree/ within the project directory. Files are human-readable and version-controllable.

File access: The -f flag on brv curate reads files from the current project directory only. Paths outside the project root are rejected. Maximum 5 files per command, text and document formats only.

LLM usage: brv query and brv curate send context to a configured LLM provider for processing. The LLM sees the query or curate text and any included file contents. No data is sent to ByteRover servers unless you explicitly run brv push.

Cloud sync: brv push and brv pull require authentication (brv login) and send knowledge to ByteRover's cloud service. All other commands operate without ByteRover authentication.

Error Handling

User Action Required: You MUST show this troubleshooting guide to users when errors occur.

"Not authenticated" | Run brv login --help for more details. "No provider connected" | Run brv providers connect byterover (free, no key needed). "Connection failed" / "Instance crashed" | User should kill brv process. "Token has expired" / "Token is invalid" | Run brv login again to re-authenticate. "Billing error" / "Rate limit exceeded" | User should check account credits or wait before retrying.

Agent-Fixable Errors: You MUST handle these errors gracefully and retry the command after fixing.

"Missing required argument(s)." | Run brv <command> --help to see usage instructions. "Maximum 5 files allowed" | Reduce to 5 or fewer -f flags per curate. "File does not exist" | Verify path with ls, use relative paths from project root. "File type not supported" | Only text, image, PDF, and office files are supported.

Quick Diagnosis

Run brv status to check authentication, project, and provider state.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…