@vc-shell/vc-app-skill No license 7 versions

@vc-shell/vc-app-skill

npm Repository Homepage

AI coding skill for scaffolding and generating VirtoCommerce Shell applications. Works with Claude Code, OpenCode, Gemini, Codex, Cursor.

7

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

virtoandrew.kubyshkin

Keywords

virtocommercevc-shellclaude-codeai-skillscaffoldingvue3

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:silent-process-exec	AI (semgrep): Spawns process.execPath (Node itself) for a self-update check; not a reverse shell or miner pattern.	ai	2026/04/29
semgrep	semgrep:silent-process-exec-var	AI (semgrep): Same update-check spawn; stable false positive for this scaffolding tool.	ai	2026/04/29
semgrep	semgrep:child-process-import	AI (semgrep): child_process used only for the self-update Node subprocess; expected in a CLI/scaffolding tool.	ai	2026/04/29

Versions (showing 7 of 7)

Version	Deps	Published
2.0.6	0 / 0	2026-05-25
2.0.5	0 / 0	2026-05-25
2.0.4	0 / 0	2026-05-18
2.0.3	0 / 0	2026-04-30
2.0.2	0 / 0	2026-04-27
2.0.1	0 / 0	2026-04-24
2.0.0	0 / 0	2026-04-22

v2.0.6

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.5

2 findings

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

INFO Publisher changed: virto → andrew.kubyshkin (on 2026-05-25, known maintainer) provenance

This version was published by a different npm account (andrew.kubyshkin) than the most recent previously approved version (virto) on 2026-05-25, but andrew.kubyshkin is listed as a maintainer on prior approved versions (matched on name). This looks like a manual publish by a known maintainer rather than a publisher change. Recorded as INFO for audit trail.

v2.0.4

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.3

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v2.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

v2.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.