ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vercel Speed Audit

v1.0.0

Optimize Vercel build and deploy speed — audit checklist for new and existing projects.

0· 412·2 current·2 all-time
by@brennerspear
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Vercel speed audit) align with contents: checklist, framework-specific guides, CI/workflow examples and CLI snippets. All requested actions (vercel CLI, depcheck, editing vercel.json, GitHub Actions workflows, SvelteKit adapter changes) are coherent with optimizing Vercel builds.
Instruction Scope
SKILL.md and docs contain concrete commands and file edits scoped to a project's repo and Vercel settings (e.g., git diff-based ignoreCommand, `vercel build`, `vercel deploy --prebuilt`, `vercel pull`, reading project config files). There are no instructions to read unrelated system files or to exfiltrate data to unexpected endpoints. Some steps (e.g., vercel pull, vercel deploy, vercel rollback) will access or modify remote project state when run — this is expected for the documented tasks and is clearly indicated.
Install Mechanism
No install spec or bundled code; instruction-only skill. No downloads or archive extraction. Low install risk — everything is documentation and CLI guidance.
Credentials
The skill declares no required env vars. The docs reasonably describe typical CI secrets (VERCEL_TOKEN, VERCEL_ORG_ID, VERCEL_PROJECT_ID) needed for automated workflows; those are proportional to the documented GitHub Actions + prebuilt pattern. There are no unrelated or unexpected credential requests in the skill.
Persistence & Privilege
always: false and no install steps that persist or modify other skills or system-wide agent config. The skill does include instructions that, when executed by a user or CI, will perform deploys/rollbacks — but that is consistent with its purpose and requires explicit credentials to act on remote projects.
Assessment
This is a documentation-only audit tool and appears coherent with its purpose. Before using: - Be careful with commands that change remote state: `vercel deploy`, `vercel deploy --prebuilt`, and `vercel rollback` will modify deployments when run with valid tokens. - Store any Vercel tokens (VERCEL_TOKEN) as least-privileged CI secrets and only add them to trusted workflows; do not paste tokens into chat or public places. - Review any CI workflow YAMLs before applying them to your repository (concurrency, artifact sizes, and `vercel pull` behavior are documented here). The provided GitHub Actions examples assume you have deploy permissions for the project/org. - The skill’s suggested scripts that read git diffs or write `.vercel` files operate on your repo; audit those scripts before enabling them in production to avoid unintentional skips or exposure of environment files. - Because this is instruction-only (no code installed by the skill), nothing will run automatically on your machine just by installing the skill — however, if you give a process a Vercel token or run the provided commands in CI, they can deploy/rollback. Ensure credentials and permissions are controlled accordingly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dz4kgc8csra1j9ee6he1kc181tg8s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments