Vercel CLI

This skill is an instruction-only guide for the official Vercel CLI and generally coherent with its stated purpose, but take these precautions before installing or using it: - Credentials: The SKILL.md expects you to use VERCEL_TOKEN for automation, yet the registry metadata lists no required env vars — assume the skill will ask you to provide a VERCEL_TOKEN if you want automated operations. Only provide a token with the minimum scope needed, store it securely, and rotate it if you stop using the skill. - Secrets exposure: Commands like vercel env pull write environment variables to local files (.env.local by default). Those files can contain secrets; avoid pulling into shared or cloud-synced directories and delete or secure the file after use. - Arbitrary API calls: The CLI supports vercel api and vercel curl, which can make authenticated requests to your Vercel account. If an agent uses this skill autonomously, it could take any action allowed by the token (deployments, removals, domain changes, billing queries). Only enable autonomous use if you trust the agent behaviors and limit the token's permissions. - Source trust: The skill metadata lacks a homepage and the owner is unknown. Because the skill is just documentation, there is no embedded code, but consider preferring skills with clear authorship or links to official docs. If you plan to run the recommended pnpm i -g vercel command, confirm you are installing the official vercel package from the npm registry and that pnpm is appropriate for your environment. What would change this assessment: if the registry entry declared VERCEL_TOKEN (or justified env requirements), included a trustworthy homepage/owner, or if the skill included an install spec that explicitly used an official release source. Those would raise confidence and could make the verdict benign. Conversely, if you find instructions that attempt to read unrelated system files or push tokens to external endpoints, classify as malicious.