Is byterover safe?

https://clawhub.ai/byteroverinc/byterover

72
CAUTION

ByteRover is a knowledge management skill that instructs the agent to routinely send source code files and architectural descriptions to ByteRover's cloud service via the brv CLI. While the skill contains no executable code or direct malicious payloads, it poses a significant data exfiltration risk by explicitly conditioning the agent to NOT inspect file contents before transmitting them externally, and provides no documentation of data privacy or retention policies. The skill is likely a legitimate commercial product, but its design creates a systemic blind spot for sensitive data leakage.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (7)

HIGH Source code sent to external cloud service without agent review -30

The brv curate command with -f flags sends source file contents to ByteRover's cloud servers via the local brv client-server architecture. The skill explicitly instructs the agent NOT to read files before curating ('Don't read files yourself before curating. Use -f flags to let ByteRover read them directly'), which means the agent has no opportunity to check whether files contain sensitive data (credentials, API keys, internal secrets) before transmitting them to a third-party service.

HIGH No data privacy or retention policy documented -15

The skill instructs the agent to regularly send source code, architecture descriptions, and implementation details to ByteRover's cloud service, but provides no information about data retention, privacy policies, encryption, or who has access to the transmitted code. Users have no visibility into what happens to their code after it reaches ByteRover's servers.

MEDIUM Behavioral conditioning to bypass agent file inspection -20

The skill conditions the agent to skip its normal file-reading behavior before passing files to an external service. This is framed as a performance optimization ('Wasteful - reading files twice') but effectively creates a blind spot where the agent sends files without inspecting their contents. This pattern could be exploited to exfiltrate sensitive files that the agent would normally flag.

MEDIUM Skill encourages proactive external data sharing -18

The skill establishes workflows where the agent proactively sends code and architecture information to ByteRover's service as part of normal development. The 'Query before working' and 'Curate after learning' patterns create a habit of continuous data sharing that users may not fully understand the implications of.

LOW Skill encourages comprehensive codebase documentation to external service -5

WORKFLOWS.md Pattern 5 'Comprehensive Documentation' and Pattern 6 'Exploratory Documentation' encourage the agent to systematically map and transmit detailed knowledge about the entire codebase architecture to ByteRover's service, potentially including security-sensitive architectural details.

INFO No executable code in skill package 0

The skill contains only markdown files and JSON metadata. No executable scripts, git hooks, install scripts, or symlinks were found. The skill relies on a separately-installed brv CLI binary.

INFO Filesystem events are from audit harness, not skill 0

The monitored filesystem events (.env, .aws/credentials, .profile reads) are from the openclaw audit runtime initialization, not from the skill itself. The skill package triggered no filesystem activity beyond its own installation.