Vercel
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Vercel CLI helper, but it can affect production projects and account secrets, so sensitive commands should be confirmed before use.
This skill appears safe to install as an instruction-only Vercel CLI reference, but treat it as having production deployment and account-management power. Confirm destructive or production commands, verify the project/team scope, protect tokens and environment files, and install the Vercel CLI only from a trusted source.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using these commands could deploy to production, remove projects/domains/environment variables, or skip prompts if the user explicitly directs that path.
The skill documents production deployment, deletion, and no-confirm CLI options. These are purpose-aligned for Vercel management, but they can materially change live services if used without user confirmation.
`vercel --prod` | Deploy current project to production; `vercel project rm <name>` | Remove a project; `--yes` | Skip confirmation prompts
Only run production, deletion, promotion, rollback, or `--yes` commands after explicit user confirmation and with the intended project, team scope, and working directory verified.
The agent may operate under the user's Vercel identity and may handle deployment configuration or environment secrets.
The skill relies on Vercel account authentication and can access or write environment-variable data. This is expected for the integration, but it gives the agent account-level authority and possible secret access.
`vercel login`; `--token <token>` | Login token; `vercel env pull .env.local` | Pull env vars to a local file
Use least-privilege Vercel tokens where possible, avoid exposing tokens or `.env.local` contents in chat, and verify the target team/project before account-changing commands.
Installing a global CLI affects the local environment and depends on the npm package that is downloaded when the user installs it.
The setup uses an unpinned global npm package install. This is normal for a CLI helper, but it depends on the package source and version resolved at install time.
install_command: "npm i -g vercel"
Install the official Vercel CLI from a trusted source, consider pinning or verifying the package/version, and avoid running the install with unnecessary elevated privileges.