Vvvv Dotnet
Security checks across malware telemetry and agentic risk
Overview
This is a documentation-only vvvv/.NET helper; it gives expected build and NuGet guidance, with no evidence of hidden code, credential use, or unsafe persistence.
This skill appears safe as a documentation-only helper. Before following its setup guidance, confirm that the NuGet sources are appropriate for your project and that you trust the project before letting an agent run build or package commands.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user allows the agent to build a project, the command will operate in the local development environment.
The skill explicitly directs the agent to run a local build command. This is expected for a .NET coding helper, but users should be aware that builds can execute project-defined build steps.
For AI agents: regardless of workflow, run `dotnet build` to verify your code compiles
Allow build commands only in projects you trust, and review unusual build scripts or project files before running them.
Following the guidance may cause future restores to pull packages from the vvvv feed and resolve newer matching package versions.
The skill recommends adding an external NuGet feed and using wildcard package versions. This is coherent for vvvv package development, but dependency versions and sources can change over time.
<add key="vvvv" value="https://teamcity.vvvv.org/guestAuth/app/nuget/v1/FeedService.svc/" /> ... <PackageReference Include="VL.Core" Version="2025.7.*" />
Use trusted package sources and consider pinning exact versions for reproducible builds, especially for production or shared projects.