I've installed busybox (v1.19.3) on my Debian Testing system, and it certainly doesn't have nvram as a built-in command, so it's presumably an external program which is linked to:
Currently defined functions:
[, [[, adjtimex, ar, arp, arping, ash, awk, basename, blockdev, brctl, bunzip2, bzcat, bzip2, cal, cat,
chgrp, chmod, chown, chroot, chvt, clear, cmp, cp, cpio, cttyhack, cut, date, dc, dd, deallocvt, depmod,
df, diff, dirname, dmesg, dnsdomainname, dos2unix, du, dumpkmap, dumpleases, echo, egrep, env, expr,
false, fgrep, find, fold, free, freeramdisk, ftpget, ftpput, getopt, getty, grep, groups, gunzip, gzip,
halt, head, hexdump, hostid, hostname, httpd, hwclock, id, ifconfig, init, insmod, ionice, ip, ipcalc,
kill, killall, klogd, last, less, ln, loadfont, loadkmap, logger, login, logname, logread, losetup, ls,
lsmod, lzcat, lzma, md5sum, mdev, microcom, mkdir, mkfifo, mknod, mkswap, mktemp, modinfo, modprobe,
more, mount, mt, mv, nameif, nc, netstat, nslookup, od, openvt, patch, pidof, ping, ping6, pivot_root,
poweroff, printf, ps, pwd, rdate, readlink, realpath, reboot, renice, reset, rev, rm, rmdir, rmmod,
route, rpm, rpm2cpio, run-parts, sed, seq, setkeycodes, setsid, sh, sha1sum, sha256sum, sha512sum, sleep,
sort, start-stop-daemon, stat, strings, stty, swapoff, swapon, switch_root, sync, sysctl, syslogd, tac,
tail, tar, taskset, tee, telnet, test, tftp, time, timeout, top, touch, tr, traceroute, traceroute6,
true, tty, udhcpc, udhcpd, umount, uname, uncompress, uniq, unix2dos, unlzma, unxz, unzip, uptime,
usleep, uudecode, uuencode, vconfig, vi, watch, watchdog, wc, wget, which, who, whoami, xargs, xz, xzcat,
yes, zcat