Vvvv Node Libraries
Security checks across malware telemetry and agentic risk
Overview
This is a documentation-only skill for creating and publishing vvvv gamma C# node libraries; its sensitive examples are purpose-aligned but users should review the CI publishing workflow before copying it.
This skill appears safe as documentation for vvvv gamma library development. If you ask it to create publishing automation, review the generated GitHub Actions workflow carefully, protect the NuGet key, and consider pinning external actions before enabling automatic publishing.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you copy this workflow, anyone or anything able to trigger the workflow under your repository rules may be able to publish packages using your NuGet key.
The example publishing workflow uses a NuGet API key stored as a GitHub secret. This is normal for package publishing, but it is still a credential with authority to publish packages.
nuget-key: ${{ secrets.NUGET_KEY }}Use a least-privilege NuGet API key, restrict repository and branch permissions, protect the secret, and rotate it if it is exposed.
If copied unchanged, your package publishing pipeline depends on third-party action code and tag or branch references that may change over time.
The CI example depends on external GitHub Actions, including a mutable branch reference for checkout. This is common in sample workflows but is less controlled than pinning actions to immutable commit SHAs.
- uses: actions/checkout@master - uses: microsoft/setup-msbuild@v2 - uses: nuget/setup-nuget@v2.0.0 - uses: vvvv/PublishVLNuget@1.0.43
Before using the workflow, review the referenced actions and consider pinning them to trusted commit SHAs, especially for a workflow that receives a publishing secret.
Generated libraries may add application-wide services or dynamic nodes when loaded by vvvv.
The skill teaches users to generate vvvv library initialization code that registers services with the host application. This is expected for node libraries, but it changes how the resulting vvvv package behaves at runtime.
public override void Configure(AppHost appHost) ... services.RegisterService<MyService>(serviceProvider => ...);
Review any generated Initialization.cs code and ensure registered services or factories are needed, scoped, and disposable where appropriate.