Vercel Deploy
MaliciousAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: vercel-deploy Version: 1.0.0 The skill bundle is classified as benign. All scripts (`vercel_deploy.sh`, `vercel_env.sh`, `vercel_status.sh`) use the official `npx vercel` CLI for Vercel operations, which is aligned with the stated purpose of deploying and managing Vercel projects. The `VERCEL_TOKEN` is securely handled as an environment variable. The `SKILL.md` and other documentation files provide clear instructions and security best practices (e.g., token rotation, not committing tokens to git), and do not contain any prompt injection attempts to manipulate the agent into performing actions outside the skill's defined scope or to exfiltrate data. A confirmation step is included for production deployments, enhancing safety.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Secrets entered as Vercel environment variables could be revealed to anyone who can see the tool output or logs.
The helper prints the full environment-variable value before setting it in Vercel. Environment variables can contain secrets such as API keys, database URLs, or tokens, so this can expose sensitive values in terminal output or agent transcripts.
echo "✏️ Setting $KEY=$VALUE (env: $ENV)"
Mask values in output, show only the variable name and environment, and require explicit user approval before handling secret values.
An agent could remove a production or preview environment variable immediately once this path is invoked, potentially breaking deployments.
The delete path uses Vercel's non-interactive confirmation flag and has no local confirmation prompt, despite modifying remote project configuration.
npx vercel env rm "$KEY" "$ENV" --token "$VERCEL_TOKEN" "$PROJECT" --yes
Remove --yes for destructive operations or add an explicit confirmation step that names the project, key, and environment before deletion.
The agent could deploy the wrong local directory or Vercel-linked project while appearing to deploy the named project.
The script requires a --project argument, but the deployment command does not include or validate $PROJECT. With --yes, the actual deployment target depends on the current directory and Vercel linkage rather than the user-supplied project name.
CMD="npx vercel --token $VERCEL_TOKEN --yes"
Validate the working directory and linked Vercel project before deployment, include the target project in the command where supported, and display the resolved target before proceeding.
Deployments depend on the Vercel CLI package resolved at runtime, which can affect reproducibility and supply-chain review.
The skill runs the Vercel CLI through npx without a pinned version or install declaration. This is expected for a Vercel CLI helper, but it may execute runtime code from npm depending on the user's environment.
CMD="npx vercel --token $VERCEL_TOKEN --yes"
Declare the npx/Node requirement and pin or document the expected Vercel CLI version.
Users may overestimate the credential-safety and approval safeguards provided by the skill.
The README recommends persisting the token in a shell startup file while also saying tokens are not stored, and it claims destructive approval even though the provided env-delete script auto-confirms with --yes.
echo 'export VERCEL_TOKEN="vtk_xxx..."' >> ~/.bashrc ... Tokens are passed via environment variables (not stored) ... Destructive operations require approval
Align the documentation with the actual behavior: state when tokens are persisted, warn about command/output exposure, and accurately describe which operations are auto-confirmed.