Vercel
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Vercel CLI reference with no bundled code, but it documents commands that can change live Vercel resources and use account credentials.
This skill appears appropriate for Vercel administration, but use it carefully: confirm the active Vercel account/team, require approval before production deploys or deletions, and treat environment variables and tokens as secrets.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these commands without careful user approval, it could publish, remove, or change live Vercel resources.
The skill documents Vercel CLI operations that can affect production deployments, delete cloud resources, or incur domain purchases. These are purpose-aligned for a Vercel management skill, but they are high-impact actions.
`vercel --prod # deploy to production`; `vercel projects remove <name> # delete project`; `vercel domains buy <domain> # purchase domain`
Require explicit user confirmation for production deploys, deletions, domain purchases/transfers, DNS changes, and similar irreversible or paid actions.
The agent may be able to act under the currently authenticated Vercel account or a provided token, including team-level scopes.
The skill documents authentication, token use, and team-scope switching for the Vercel CLI. This is expected for Vercel administration, but it means actions may run with the user's account or team privileges.
`vercel login [email]`; `vercel switch [scope] # switch between scopes/teams`; `-t, --token <TOKEN>`
Use the least-privileged Vercel account or token available, verify the active team/scope before changes, and avoid sharing long-lived tokens unnecessarily.
Environment secrets could be written locally or modified in Vercel if these commands are used.
The skill documents commands that list, remove, and pull Vercel environment variables, which often contain secrets such as API keys or database URLs. This is purpose-aligned but sensitive.
`vercel env list [environment]`; `vercel env remove <name> [environment]`; `vercel env pull [filename] # pull to .env.local`
Only pull or edit environment variables when needed, keep `.env.local` protected, and confirm the target environment such as development, preview, or production.
Users have less provenance information for deciding whether to trust the skill's instructions.
The registry metadata does not provide an upstream source or homepage to verify provenance. This is mitigated by the artifact being instruction-only with no bundled code or installer.
Source: unknown; Homepage: none
Prefer verifying Vercel command behavior against official Vercel documentation before using high-impact commands.