Vx Commands

Security checks across malware telemetry and agentic risk

Overview

This is a plain vx command-reference skill with no executable payload, though some documented commands could expose or change local development state if a user asks an agent to run them.

Install only if you want your agent to use vx command-reference guidance. Before approving commands, pay special attention to anything that prints the environment, exports shell variables, installs or removes tools, cleans caches, changes vx.toml or vx.lock, or uses authenticated tools such as GitHub CLI; avoid sharing full environment output unless you have checked it for secrets.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill explicitly documents `vx env --json` and `vx dev --export`, which can reveal environment variables or emit shell export statements containing secrets such as API keys, tokens, and credentials. In an agent setting, this is risky because documentation that encourages environment inspection without any warning, scoping guidance, or redaction advice can lead to inadvertent secret disclosure into model context, logs, or downstream tools.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal