Back to skill

Security audit

Vercel Speed Audit

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Vercel optimization skill with deployment and secret-handling examples that are disclosed and aligned with its purpose.

Install is reasonable if you want Vercel performance guidance, but review any workflow before committing it. Scope Vercel tokens narrowly, store them only in GitHub Secrets or equivalent secret storage, keep `.vercel/.env*` out of commits/caches/artifacts/logs, and use approvals or branch protections before production deploys or rollbacks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide instructs users to run `vercel pull` with a Vercel token but does not warn that this command materializes environment variables into `.vercel/.env.*` files in the workspace and CI filesystem. In a CI/CD context, this can lead to accidental secret persistence, artifact inclusion, cache leakage, or later logging/exfiltration by other workflow steps if the files are not explicitly protected.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The on-demand revalidation example places the bypass token in the query string, which can be exposed through browser history, server logs, analytics, proxies, referrer headers, and shared terminal history. If that token leaks, an attacker could trigger unauthorized cache invalidation/revalidation, causing content churn, cache poisoning workflows, or operational disruption.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.