ClawHub

Vercel CLI

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Vercel CLI skill, but it exposes account-level, purchase, secret-handling, and protection-bypass commands without strong scoping or approval guidance.

Install only if you want an agent to help manage a real Vercel account. Use the least-privileged Vercel token available, require manual confirmation for purchases, deletes, promotions, rollbacks, env changes, API write/delete calls, and protection-bypass curl requests, and treat pulled env files as secrets that should not be committed or indexed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The command reference materially exceeds the stated scope of a deployment/project-management skill by including billing, purchases, domains, integrations, and arbitrary API capabilities. In an agent setting, broader documented capabilities increase the chance an automation system will invoke high-impact account or financial operations that the user did not expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
Including purchasing and billing-related commands in a skill described as deployment management creates a scope mismatch that can mislead operators and downstream agents. That mismatch is dangerous because it enables unexpected financial actions and irreversible account changes under the guise of routine deployment tooling.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Documenting generic API access and HTTP request capabilities goes beyond normal deployment management and gives an agent a flexible primitive for unreviewed actions. The added `vercel curl` capability is especially risky because it explicitly bypasses protection mechanisms, which can expose protected resources or circumvent expected access controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Pulling environment variables into a local `.env` file can write secrets to disk where they may be accidentally committed, indexed, or read by other local processes. In an agent context, this is more dangerous because the automation may create the file silently without informing the user that sensitive credentials have been materialized locally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Documenting domain purchase functionality without warning about billing consequences or irreversible account effects can lead users or agents to make unintended financial commitments. Because the skill is framed around deployment, operators may not anticipate that a command can directly incur charges.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
A generic `vercel buy` command is highly sensitive because it can purchase credits, plugins, subscriptions, or domains, yet the documentation gives no warning about cost or account impact. In an automated skill, such a broad purchase primitive creates a meaningful risk of unauthorized or accidental spending.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
A command that makes requests while bypassing protection mechanisms has clear security and privacy implications, yet the reference provides no cautionary guidance. In an agent workflow, this could be used to access protected endpoints or data in ways that violate intended safeguards, making the context substantially more dangerous than ordinary deployment management.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal