Vercel Speed Audit
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: vercel-speed-audit Version: 1.0.0 The skill bundle provides comprehensive documentation and instructions for optimizing Vercel deployments, including the use of Vercel CLI commands and GitHub Actions workflows. While the content is educational and benign in intent, it involves powerful commands such as `vercel deploy`, `vercel build`, and `vercel env add`. These commands interact directly with cloud infrastructure and sensitive credentials (Vercel API tokens, even when handled as GitHub secrets). If an AI agent were to execute these commands without robust sandboxing, explicit user confirmation, and stringent input validation, there is a significant risk of unintended deployments, configuration changes, or potential misuse of credentials if the agent's prompt handling or execution environment is compromised. There is no evidence of intentional malicious behavior like data exfiltration, backdoors, or obfuscation within the provided files.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is too broad or exposed, someone with access to the workflow or secret could affect Vercel deployments or access deployment-related configuration.
The optional CI workflow uses a Vercel token to pull production environment configuration into GitHub Actions, so token scope and CI secret controls matter.
run: vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}Use least-privilege Vercel tokens, store them as protected GitHub secrets or environments, restrict production workflows with branch protections/approvals, and rotate tokens if exposed.
A misconfigured workflow could deploy the wrong build or change production behavior without the review process the user expects.
The guide includes a production deployment command in an optional GitHub Actions workflow. This is purpose-aligned, but it is a high-impact operation.
DEPLOY_URL=$(vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }})Use protected branches, required checks, deployment environments, and manual approvals where appropriate before enabling automated production deploys.
CI builds depend on the integrity and version of external tooling and GitHub Actions used by the workflow.
The optional workflow installs the Vercel CLI during CI. This is expected for the deployment pattern, but it depends on an external package at install time.
run: pnpm add -g vercel
Pin tool versions where possible, use trusted actions/packages, keep lockfiles stable, and review CI dependency changes.
Secrets used as build-time literals may be harder to rotate and can appear in server build artifacts that CI or deployment systems store.
The SvelteKit guidance explains that build-time private environment values can be inlined into bundles. That is a valid optimization, but sensitive values need careful handling.
import { DATABASE_URL } from '$env/static/private'; ... Inlined at BUILD TIME — becomes a literal string in the bundleUse runtime private environment access for secrets that should not be baked into build artifacts, and protect any CI artifacts that contain server output.