ClawHub

Vercel

v1.0.0

Deploy and manage Vercel projects via CLI - deploy, env, domains, logs, teams. Use when user mentions 'vercel', 'deploy', 'vercel project', or wants to inter...

0· 278·0 current·0 all-time
byMelvyn@melvynx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the SKILL.md: it documents installing and using the Vercel CLI to deploy, manage env vars, domains, logs, teams, etc. Nothing declared in metadata (no unrelated env vars or config paths) contradicts the stated purpose.
Instruction Scope
Instructions are limited to installing and running the Vercel CLI, using flags like --token, --cwd, --json and commands such as vercel env pull which will read and write environment variables. This is in-scope for a Vercel helper, but commands like `vercel env pull .env.local` or `--token` usage can expose secrets if misused.
Install Mechanism
No install spec executed by platform (instruction-only), but the SKILL.md recommends `npm i -g vercel`. Installing a global npm package is a common, expected step for a CLI helper but does have the usual supply-chain risks of npm packages.
Credentials
The skill does not request environment variables or other credentials in metadata. The documented workflow requires authenticating to Vercel (via `vercel login` or `--token`), which is appropriate for this functionality. Users should be aware that Vercel tokens and project env vars are sensitive.
Persistence & Privilege
always:false and user-invocable:true (defaults) — normal for a CLI helper. The skill does not request elevated or persistent system-wide privileges and does not modify other skills' configs.
Assessment
This skill is a documentation-style helper for the official Vercel CLI and is internally consistent. Before using it: (1) be prepared to install a global npm package (npm i -g vercel); (2) authenticate with a Vercel token or interactive login — treat that token as sensitive and prefer least-privilege scopes; (3) avoid running env-pull or deploy commands in directories containing secrets unless you intend to write them to disk (vercel env pull will create .env.local with environment variables); (4) review any command the agent proposes to run (especially those using --yes or --token) to avoid accidental destructive or exfiltrating operations; and (5) confirm you trust the skill source before granting tokens or running installs.

Like a lobster shell, security has layers — review code before you run it.

latestvk9736sjpnnyemjgpr9savdqc4982mtev

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments