v0-cli
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its v0.dev automation purpose, but it relies on an unreviewed npm CLI using your v0 API key and can create public v0 projects without confirmation.
Install only if you intentionally want an agent to operate v0.dev for you. Verify the npm package before use, pin the version if possible, provide only an appropriate v0.dev API key, and use `--privacy private` plus explicit approval before creating projects that should not be public.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent may run third-party code that was not reviewed in this package before giving it access to the v0.dev account.
The reviewed artifact set contains only SKILL.md and no install spec or code, while the instructions point to unpinned npm-installed code that would handle the user's API key.
Dependencies installed: `npm install` in this directory ... Or if installed globally (`npm install -g @hlongvu/v0-cli`)
Verify the npm package source, pin a known version, review the package code before use, and avoid supplying an API key until provenance is trusted.
An agent could create publicly visible v0 projects if the user does not explicitly set privacy to private or unlisted.
The create workflow is non-interactive and public by default, which is high-impact because it can publish generated content to the v0 account without a separate confirmation step.
Designed for machine/agent use — no interactive prompts ... `--privacy <privacy>` | `public`, `private`, or `unlisted` | `public`
Require explicit user approval before running `v0 create`, and prefer `--privacy private` unless public publishing is intended.
Installing users may not notice from metadata that the skill needs account-level v0.dev access.
The skill requires a provider API key and can list or modify v0 chats, but the registry metadata declares no required environment variables or primary credential.
`V0_API_KEY` | Yes | API key from https://v0.dev/chat/settings/keys
Document the credential requirement in metadata and use the least-privileged v0.dev key available.
Website ideas, prompts, and refinement text may be transmitted to v0.dev.
Prompts and refinement messages are sent to the external v0.dev provider, which is expected for the integration but still relevant for user data handling.
A CLI tool for creating and iterating on websites using [v0.dev](https://v0.dev) ... `v0 chat <chatId> <message>`
Do not include secrets or confidential material in prompts unless v0.dev handling is acceptable for the user.