byoa-unlink
Facilitates the release of a Gradient Bang corp ship from BYOA, ensuring proper configuration and access management.
Install this skill
Security score
The byoa-unlink skill was audited on May 20, 2026 and we found 25 security issues across 5 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 43 | ```bash |
Template literal with variable interpolation in command context
| 63 | ```bash |
Template literal with variable interpolation in command context
| 76 | ```bash |
Template literal with variable interpolation in command context
| 97 | ```bash |
Ngrok tunnel reference
| 144 | - Tear down operator-owned infrastructure (Vercel deployment, local `byoa --serve` daemon, ngrok tunnel, etc.). The skill releases the database link and wipes the server-side wake config; the operator |
Access to .env file
| 15 | This skill does **not** delete `.env.byoa`, tear down the operator's local daemon, or unprovision the Vercel deployment — those are the operator's own infrastructure to keep or discard. Pass `--clear- |
Access to .env file
| 25 | - `local` → sources `SUPABASE_URL` from `.env.supabase` |
Access to .env file
| 26 | - **--ship-id**: ship UUID to release. Defaults to `BYOA_SHIP_ID` in `.env.byoa`. |
Access to .env file
| 27 | - **--character-id**: caller's character UUID. Defaults to `BYOA_CHARACTER_ID` in `.env.byoa`. Must be the current BYOA owner (server returns 403 otherwise). |
Access to .env file
| 29 | - **--clear-env**: after a successful unlink, delete `.env.byoa`. Off by default — keep the file if you intend to re-`/byoa-link` the same ship soon (you'll just need a fresh wake secret on re-link an |
Access to .env file
| 35 | - Both `.env.byoa` is missing AND `--ship-id` was not provided. There's nothing to unlink. |
Access to .env file
| 36 | - `--ship-id` provided but no `--character-id` AND `.env.byoa` doesn't have one — the server needs to know which character is making the call. |
Access to .env file
| 37 | - For `env=local`: `.env.supabase` is missing or `SUPABASE_URL` is unset inside it. |
Access to .env file
| 44 | # Load .env.byoa if present |
Access to .env file
| 45 | [ -f .env.byoa ] && set -a && source .env.byoa && set +a |
Access to .env file
| 50 | local) set -a && source .env.supabase && set +a ;; |
Access to .env file
| 110 | ### 4. (Optional) Remove `.env.byoa` |
Access to .env file
| 115 | [ -f .env.byoa ] && rm -f .env.byoa && echo "removed .env.byoa" |
Access to .env file
| 118 | Don't touch other operator-owned state (`.env.supabase`, the Vercel project, the local wake daemon, etc.) — out of scope. |
Access to .env file
| 128 | - `.env.byoa`: kept / removed (per `--clear-env`) |
Access to .env file
| 133 | - **`.env.byoa` missing AND no `--ship-id`**: nothing to unlink — point operator at `/byoa-link` to claim a ship first, or supply `--ship-id`. |
Access to .env file
| 145 | - Touch `.env.bot`, `.env.supabase`, or any other env file. Only `.env.byoa` is in scope, and only when `--clear-env` is passed. |
Prompting for API key/token input
| 61 | If `--access-token` was passed, use it directly. Otherwise prompt for email + password: |
External URL reference
| 24 | - `prod` → `https://api.gradient-bang.com` |
External URL reference
| 49 | prod) SUPABASE_URL=https://api.gradient-bang.com ;; |