Skip to content
Rotifer Rotifer Protocol

V(g) Security Scanner

rotifer vg

Section titled “rotifer vg”

Run V(g) static analysis on a Skill or Gene directory. Scans source code for security-relevant patterns and outputs a safety grade (A/B/C/D/?).

Terminal window
rotifer vg [path] [options]

Arguments:

ArgumentRequiredDescription
pathNoPath to the Skill or Gene directory. Defaults to .

Options:

FlagDescription
--id <skill_id>Skill/Gene identifier included in the report
--jsonOutput raw JSON report instead of formatted output
--allScan all code files, not just src/

Security Rules

Section titled “Security Rules”

V(g) checks for 7 security-relevant code patterns:

RuleTargetSeverity
S-01Dynamic code execution (eval(), Function())🔴 CRITICAL
S-02System command execution (child_process, exec, spawn)🔴 CRITICAL
S-03Code obfuscation (atob() + eval combo)🔴 CRITICAL
S-04Suspicious external communication (fetch(), http.request)🟡 HIGH
S-05Environment variable access (process.env)🟡 HIGH
S-06Persistent outbound connections (WebSocket, net.Socket)🟡 HIGH
S-07File system operations (fs.readFile, fs.writeFile)🟠 MEDIUM

Safety Grades

Section titled “Safety Grades”
GradeConditionBadge Color
AZero CRITICAL + Zero HIGHbrightgreen
BZero CRITICAL + ≤2 HIGHgreen
CZero CRITICAL + >2 HIGHyellow
D≥1 CRITICALred
?No source code found (pure prompt Skill)lightgrey

Examples

Section titled “Examples”

Scan the current directory:

Terminal window
$ rotifer vg

Scan a specific Skill with an identifier:

Terminal window
$ rotifer vg ./my-skill --id @alice/search-web

Output JSON for CI/CD:

Terminal window
$ rotifer vg ./my-skill --json > report.json

Scan all files (not just src/):

Terminal window
$ rotifer vg ./my-skill --all

JSON Output Format

Section titled “JSON Output Format”

When using --json, the output follows this schema:

{
  "skill_id": "@author/skill-name",
  "scanned_at": "2026-03-19T12:00:00Z",
  "grade": "B",
  "findings": [
    {
      "rule": "S-04",
      "severity": "HIGH",
      "file": "src/api.ts",
      "line": 42,
      "snippet": "fetch('https://api.example.com/...')"
    }
  ],
  "stats": {
    "files_scanned": 3,
    "lines_of_code": 245
  }
}

Trust Badges

Section titled “Trust Badges”

After scanning, generate a trust badge for your README. Visit the Badge Generator or embed directly:

![Safety](https://img.shields.io/endpoint?url=https://badge.rotifer.dev/safety/@author/skill-name)

See the Trust Badges guide for all badge types and embedding options.