ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ByteRover - Headless

v1.6.0

Query and curate knowledge-base using ByteRover CLI. Use `brv query` for knowledge retrieval, `brv curate` for adding context, and `brv push/pull` for syncing.

0· 2.5k·2 current·2 all-time
by@byteroverinc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual requirements and behavior: the skill requires the 'brv' binary and the install spec installs the @byterover/cli package which provides that binary. Nothing requested by the skill (no unrelated binaries, env vars, or config paths) is out of scope for a CLI integration.
Instruction Scope
SKILL.md stays within ByteRover CLI operations (login, init, status, query, curate, push, pull). It asks the user to supply an API key at runtime (via brv login) and to include up to 5 files for curate; it does not instruct the agent to read arbitrary system files or unrelated credentials. Note: brv login outputs text (not JSON), and credentials/config are stored under the project's .brv directory according to examples — automation should handle that and avoid exposing secrets.
Install Mechanism
Install uses npm to add @byterover/cli and create the 'brv' binary. npm is an expected mechanism for a Node-based CLI. This will write files/binaries to the environment (node_modules/.bin or global install depending on setup), so users should verify the package's provenance before installing.
Credentials
The skill declares no required environment variables, which is consistent. Runtime usage requires an API key for login (entered interactively or supplied to brv); this is appropriate for a remote service. Be aware the CLI likely writes auth tokens/config to .brv in the project directory (example shown), so secrets may be persisted on disk — use a least-privileged API key and/or a dedicated account.
Persistence & Privilege
always:false and no requests to modify other skills or system-wide agent settings. The skill does not ask for permanent platform privileges. The ability to run commands autonomously is the platform default but is not combined with other concerning privileges here.
Assessment
This skill is a straightforward adapter for the ByteRover CLI, but before installing: 1) verify the npm package (@byterover/cli) and its publisher (check the npm registry and package source) to ensure it's the official ByteRover client; 2) when using it, supply a dedicated, least-privileged API key rather than broad or production credentials; 3) be aware the CLI stores auth/config under .brv in your project — inspect that file if you are concerned about persisted tokens and protect its directory; 4) automation will use flags like --headless --format json and brv push -y (which skips confirmations) — avoid -y unless you want to allow destructive/remote changes without manual confirmation; 5) if you need stronger assurance, review the installed package contents (node_modules or the published tarball) before running it.

Like a lobster shell, security has layers — review code before you run it.

latestvk976wy38rdjfhfxqxbj1bmbaxd808a7a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments