byoa-link
Facilitates onboarding for Gradient Bang operators to run BYOA, generating necessary environment configurations and secrets.
Install this skill
or
0/100
Security score
The byoa-link skill was audited on May 30, 2026 and we found 33 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
high line 33
Template literal with variable interpolation in command context
SourceSKILL.md
| 33 | - For `local`: `${SUPABASE_URL}` is unset in `.env.supabase` (or the file is missing entirely). |
medium line 77
Template literal with variable interpolation in command context
SourceSKILL.md
| 77 | ```bash |
medium line 91
Template literal with variable interpolation in command context
SourceSKILL.md
| 91 | ```bash |
medium line 106
Template literal with variable interpolation in command context
SourceSKILL.md
| 106 | ```bash |
medium line 124
Template literal with variable interpolation in command context
SourceSKILL.md
| 124 | ```bash |
medium line 149
Template literal with variable interpolation in command context
SourceSKILL.md
| 149 | ```bash |
medium line 3
Access to .env file
SourceSKILL.md
| 3 | description: Onboard a Gradient Bang operator to run a Bring-Your-Own-Agent (BYOA) — logs in with email/password, claims a corp ship as BYOA, generates a per-ship wake secret, and writes `.env.byoa` f |
medium line 10
Access to .env file
SourceSKILL.md
| 10 | Walks an operator through everything they need to run `uv run byoa` against a Gradient Bang corp ship. End state: a populated `.env.byoa` at the **main repo root** (mode 0600), a ship claimed as BYOA |
medium line 22
Access to .env file
SourceSKILL.md
| 22 | - `local` → sources `SUPABASE_URL` from `.env.supabase` (`http://127.0.0.1:54321` when `npx supabase start` is running) |
medium line 23
Access to .env file
SourceSKILL.md
| 23 | - **--force**: overwrite an existing `.env.byoa` without prompting |
medium line 25
Access to .env file
SourceSKILL.md
| 25 | - **--out**: write the env file somewhere other than `<repo-root>/.env.byoa`. Without this flag, the file always lands at the main repo root regardless of cwd. |
medium line 27
Access to .env file
SourceSKILL.md
| 27 | The `dev` env was dropped — it required internal-only env files (`.env.cloud.dev`, `EDGE_API_TOKEN`) that operators don't have. Internal team members testing against dev should run `local` with their |
medium line 33
Access to .env file
SourceSKILL.md
| 33 | - For `local`: `${SUPABASE_URL}` is unset in `.env.supabase` (or the file is missing entirely). |
medium line 34
Access to .env file
SourceSKILL.md
| 34 | - The resolved destination already has a `.env.byoa` and `--force` was not passed. Check the resolved repo-root path (or `--out`), not cwd. |
low line 63
Access to .env file
SourceSKILL.md
| 63 | set -a && source .env.supabase && set +a |
medium line 69
Access to .env file
SourceSKILL.md
| 69 | `BYOA_WAKE_SECRET` is the **per-ship** bearer that authenticates `wake_agent` → wake-receiver (local daemon or operator's Vercel Function). Generate a fresh random hex string (`openssl rand -hex 32`) |
medium line 71
Access to .env file
SourceSKILL.md
| 71 | The bus **channel** is allocated server-side per voice session and injected into the harness env by `wake_agent`. Operators never see or set a channel. The local-dev wake daemon (`uv run byoa --serve` |
medium line 122
Access to .env file
SourceSKILL.md
| 122 | Generate a fresh random hex bearer (`openssl rand -hex 32`). The wake secret is a per-ship, operator-side credential. Capture the freshly-generated hex in memory; write it to `.env.byoa` in step 7 AND |
medium line 143
Access to .env file
SourceSKILL.md
| 143 | ### 7. Write `.env.byoa` |
medium line 145
Access to .env file
SourceSKILL.md
| 145 | Path: `--out` value, or `<main-repo-root>/.env.byoa` if not provided. **Never write to cwd** — the skill is regularly invoked from a worktree, and writing there hides the file from the operator's norm |
low line 151
Access to .env file
SourceSKILL.md
| 151 | OUT_PATH="${OUT_OVERRIDE:-$PROJECT_ROOT/.env.byoa}" |
medium line 166
Access to .env file
SourceSKILL.md
| 166 | Only the three required values are filled in; every other option (`BYOA_PROMPT_FILE`, `TASK_LLM_*`, `BYOA_TOOL_CALL_TIMEOUT_SECONDS`, …) stays commented out at its default. `SUBAGENT_BUS_DATABASE_URL` |
medium line 175
Access to .env file
SourceSKILL.md
| 175 | - Author `./prompt.md` (≤ 8 KB, appended to the base task-agent prompt) and set `BYOA_PROMPT_FILE=./prompt.md` (or inline `BYOA_PROMPT=...`) in `.env.byoa`. |
medium line 180
Access to .env file
SourceSKILL.md
| 180 | The daemon reads `.env.byoa` and waits for wakes from `wake_agent`. As long as the ship has no per-ship `source_url` set, `wake_agent` defaults to `http://host.docker.internal:8765/wake` and routes to |
medium line 181
Access to .env file
SourceSKILL.md
| 181 | - **Production** (env = `prod`): run `/byoa-deploy-vercel prod` next. It deploys the template at [deployment/vercel/](../../../deployment/vercel/) to the operator's Vercel project (production by defau |
high line 181
Prompting for API key/token input
SourceSKILL.md
| 181 | - **Production** (env = `prod`): run `/byoa-deploy-vercel prod` next. It deploys the template at [deployment/vercel/](../../../deployment/vercel/) to the operator's Vercel project (production by defau |
low line 21
External URL reference
SourceSKILL.md
| 21 | - `prod` / `live` → `https://api.gradient-bang.com/functions/v1` (operator-facing; no env file needed). If the operator types nothing, this is what they get. |
low line 22
External URL reference
SourceSKILL.md
| 22 | - `local` → sources `SUPABASE_URL` from `.env.supabase` (`http://127.0.0.1:54321` when `npx supabase start` is running) |
low line 53
External URL reference
SourceSKILL.md
| 53 | SUPABASE_URL=https://api.gradient-bang.com |
low line 64
External URL reference
SourceSKILL.md
| 64 | # SUPABASE_URL now points at http://127.0.0.1:54321 (or whatever the file has). |
low line 138
External URL reference
SourceSKILL.md
| 138 | - **Leave unset** (recommended for local dev): `wake_agent` falls back to `http://host.docker.internal:8765/wake` — the default port for `uv run byoa --serve` running on the host. No further config ne |
low line 139
External URL reference
SourceSKILL.md
| 139 | - **Set explicitly**: pass `source_url` on the same `set` call (or a follow-up). Required for Vercel/prod deploys (`https://<your-project>.vercel.app/api/wake`) and for local daemons listening on a no |
low line 180
External URL reference
SourceSKILL.md
| 180 | The daemon reads `.env.byoa` and waits for wakes from `wake_agent`. As long as the ship has no per-ship `source_url` set, `wake_agent` defaults to `http://host.docker.internal:8765/wake` and routes to |
Scanned on May 30, 2026
View Security DashboardGitHub Stars 390
Rate this skill
Categorydevelopment
UpdatedJune 15, 2026
claudefrontendsupabasedocxgitapidatabasetestingdevopsbackenddevops-srebackend-developerdata-engineersupabasedevelopment
pipecat-ai/gradient-bang