Is byteroverinc/byterover-headless safe?

https://github.com/openclaw/skills/tree/main/skills/byteroverinc/byterover-headless

70
CAUTION

ByteRover Headless is a developer knowledge management skill whose primary function is to sync project context to ByteRover's external cloud via the brv CLI. The skill itself is clean — no executable code, no prompt injection, no covert exfiltration during the audit session — but its cloud-sync architecture is an inherent persistent data egress pathway: anything the agent curates (including source files via --files) is uploaded to ByteRover's servers and pushed on brv push. The unaudited @byterover/cli npm package represents an additional unexamined code-execution surface. This skill is appropriate only for projects where the user explicitly consents to syncing project knowledge to ByteRover's cloud and has reviewed what data the agent is curating.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 80/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (7)

HIGH Cloud-sync architecture transmits project data to external servers -30

The skill's core operation pushes developer context (code patterns, architectural decisions, implementation details) to ByteRover's cloud at app.byterover.com. This is by design and disclosed, but it means the skill is inherently an exfiltration pathway. Any data the agent is instructed to curate — including contents of files passed via --files — leaves the user's local environment and is stored on ByteRover's infrastructure under the user's team/space.

HIGH brv curate --files can send arbitrary source files to external cloud -20

The skill instructs the agent to use brv curate with a --files flag accepting up to 5 file paths. An agent with broad filesystem permissions could be directed (by a user or by another prompt injection) to curate sensitive files. Once curated and pushed, those file contents reside on ByteRover's servers. There is no indication in the skill of any file-type filtering or content scanning before upload.

MEDIUM npm package @byterover/cli not audited — potential install-time code execution -20

The skill requires installing @byterover/cli from npm. npm packages can declare arbitrary preinstall/postinstall scripts in package.json that execute during npm install. This package was not installed in the audit sandbox, so its lifecycle scripts, bundled binaries, and runtime behavior were not examined. Any malicious behavior (credential harvesting, persistence, backdoors) in the npm package would execute at install time with the user's filesystem permissions.

MEDIUM brv pull enables knowledge poisoning from external cloud -20

The brv pull command downloads a context tree from ByteRover's cloud into the local project. If the remote space has been compromised, if the user's ByteRover account is phished, or if ByteRover's servers are breached, the pulled context could contain injected adversarial instructions that influence subsequent agent behavior. The agent has no mechanism to validate the integrity or provenance of pulled knowledge.

MEDIUM Instruction to bypass CLI confirmation prompts conflicts with user-permission tip -10

Tip #6 instructs the agent to always use -y with brv push to skip the CLI's interactive confirmation. Tip #1 separately says to ask the user for permission before push/pull operations. These two instructions are in tension: the agent-facing safety check (ask user) is preserved, but the tool-level safety check (-y) is systematically disabled. If an agent fails to ask the user (e.g., due to prompt injection elsewhere), no secondary brake exists.

LOW API key passed as command-line argument is visible in process listings -5

The skill instructs the agent to authenticate by running brv login --api-key where the key appears as a plain command-line argument. On multi-user systems, or any system where process listings are accessible to other processes or logs, this key could be captured. The key provides access to the user's ByteRover team and all curated project knowledge.

INFO Credential files accessed during monitoring — attributed to monitoring framework, not skill 0

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at timestamps 1771736068 (pre-clone baseline) and 1771736088 (post-install teardown). No brv CLI was executed during the session (npm install was not run), and no process in the skill directory ran between clone completion and the second access window. These reads are consistent with the monitoring framework's canary baseline and integrity verification cycles. No exfiltration was detected.