ClawHub

Vx Project

v1.0.0

Project management guide for vx. Use when setting up a new project, configuring vx.toml, or managing project-level tool versions and scripts.

0· 29·1 current·1 all-time
byHal@loonghao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md contents: guidance for creating and managing vx.toml, running vx commands, and handling project tools and scripts. The skill does not request unrelated binaries, env vars, or secrets.
Instruction Scope
Runtime instructions are limited to calling vx commands and reading common project files (package.json, pyproject.toml, Cargo.toml, go.mod, etc.). The doc also mentions hooks and templates which, when executed by vx, may run arbitrary scripts from the project—this is expected for a project-management tool but is the primary operational risk to be aware of.
Install Mechanism
No install spec or code files are provided (instruction-only). Nothing is downloaded or written by the skill itself, so there is minimal installation risk from the skill bundle.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md merely shows examples of how vx can be configured to read env vars (e.g., API_KEY, DATABASE_URL) which is consistent and does not imply exfiltration by the skill itself.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent or elevated platform privileges and does not instruct modifying other skills or global agent settings.
Assessment
This skill is a documentation-only guide for using the vx CLI and appears coherent. Before running vx setup/sync/dev on untrusted code: 1) ensure you have an authentic vx CLI from a trusted source; 2) inspect vx.toml, vx.lock, and any hooks or templates (post_setup, pre_commit, templates' post_setup.sh) because those can run arbitrary commands and install packages; 3) avoid placing secrets (API keys, DB URLs) directly in vx.toml or commit them to repos; 4) prefer pinned versions and review vx.lock for CI reproducibility; and 5) run initial setup in a sandboxed environment or CI runner with least privilege if the repository is untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk970q8qqqykrx4hm4ps3mms5d9849kcj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments