Byterover 2.0.0
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run this tool and consult/send project memory even when the user did not ask for memory lookup.
The skill makes its use mandatory before broad classes of work rather than limiting itself to memory-related tasks.
description: "You MUST use this for gathering contexts before any work." ... "Before Thinking: Run `brv query`" ... "Before performing any action"
Use ByteRover only when project memory is relevant or the user asks for it; avoid treating it as a mandatory precondition for every task.
Project notes, queries, and selected file contents may be processed by an external provider under terms that are not fully clear from the skill artifacts.
The artifact discloses LLM-provider processing, but the default ByteRover provider and the statement about not sending data to ByteRover except push create unclear data-boundary expectations.
`Connect the default ByteRover provider (no API key needed)` ... `LLM sees the query or curate text and any included file contents` ... `No data is sent to ByteRover servers unless you explicitly run `brv push`.`
Confirm where the default provider runs, what data it receives, and its retention policy before using query/curate with sensitive project content.
Incorrect, stale, or sensitive memories could be reused in later tasks or committed if the .brv directory is version-controlled.
Persistent project memory is the core purpose and the storage path is disclosed, but stored notes can influence future agent behavior.
`After Implementing: Run `brv curate` to save new patterns/decisions.` ... `All knowledge is stored as Markdown files in `.brv/context-tree/``
Review curated entries, avoid storing secrets or transient details, and decide whether .brv should be committed or ignored.
The reviewed artifacts do not show the CLI implementation, so users must trust the external npm package.
The runtime behavior depends on an external globally installed npm CLI, while this reviewed skill contains only instructions.
Install: `npm install -g byterover-cli`
Verify the npm package publisher, version, and source before installing, and prefer a pinned version when possible.
If used, provider or ByteRover API keys may allow the CLI to access paid services or cloud spaces.
The skill supports optional provider and cloud-sync API keys; this is expected for the described integrations but still grants account access.
`brv providers connect openai --api-key sk-xxx --model gpt-4.1` ... `brv login --api-key sample-key-string`
Use scoped or revocable keys, avoid sharing real keys in chat, and only enable cloud sync when needed.