Vercel CLI
v1.0.0Vercel CLI skill for deploying and managing Vercel projects from the terminal.
⭐ 0· 70·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and references clearly describe Vercel CLI functionality (deploy, domains, env management, logs). That aligns with the skill name and description. However, the metadata declares no required environment variables while the documentation explicitly recommends using VERCEL_TOKEN for CI; the metadata omission is an inconsistency that should be fixed.
Instruction Scope
Instructions are limited to installing and using the vercel CLI and its subcommands. They do include commands that can access or export sensitive data (vercel env pull writes env vars to local files, vercel api/vercel curl allow arbitrary authenticated requests). Those actions are expected for a CLI wrapper but increase the potential for accidental exposure of secrets if the token or pulled env files are mishandled.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. The SKILL.md suggests installing the CLI with pnpm globally (pnpm i -g vercel). Because nothing is auto-downloaded or executed by the skill itself, install risk is low — but the user would perform a global npm-like install which has the usual trust considerations for third-party packages.
Credentials
The SKILL.md recommends using VERCEL_TOKEN for automation and warns against passing tokens on the command line, which is appropriate. However, the skill metadata did not declare VERCEL_TOKEN (or any env) as required. Additionally, commands like vercel env pull and vercel api can expose or transmit environment variables and perform arbitrary authenticated requests — giving a token to this skill (or an agent that will run these commands) grants the ability to read and modify project secrets, domains, deployments, and potentially billing information. The requested privilege (token) is proportional to a CLI but should be minimized and guarded.
Persistence & Privilege
The skill does not request always: true or any persistent system-wide changes; it is user-invocable and allows autonomous invocation (platform default). There is no evidence it modifies other skills or system configs. Normal platform autonomy combined with the ability to run vercel commands means the agent could perform actions if given a token — this is expected but worth noting.
What to consider before installing
This skill is an instruction-only guide for the official Vercel CLI and generally coherent with its stated purpose, but take these precautions before installing or using it:
- Credentials: The SKILL.md expects you to use VERCEL_TOKEN for automation, yet the registry metadata lists no required env vars — assume the skill will ask you to provide a VERCEL_TOKEN if you want automated operations. Only provide a token with the minimum scope needed, store it securely, and rotate it if you stop using the skill.
- Secrets exposure: Commands like vercel env pull write environment variables to local files (.env.local by default). Those files can contain secrets; avoid pulling into shared or cloud-synced directories and delete or secure the file after use.
- Arbitrary API calls: The CLI supports vercel api and vercel curl, which can make authenticated requests to your Vercel account. If an agent uses this skill autonomously, it could take any action allowed by the token (deployments, removals, domain changes, billing queries). Only enable autonomous use if you trust the agent behaviors and limit the token's permissions.
- Source trust: The skill metadata lacks a homepage and the owner is unknown. Because the skill is just documentation, there is no embedded code, but consider preferring skills with clear authorship or links to official docs. If you plan to run the recommended pnpm i -g vercel command, confirm you are installing the official vercel package from the npm registry and that pnpm is appropriate for your environment.
What would change this assessment: if the registry entry declared VERCEL_TOKEN (or justified env requirements), included a trustworthy homepage/owner, or if the skill included an install spec that explicitly used an official release source. Those would raise confidence and could make the verdict benign. Conversely, if you find instructions that attempt to read unrelated system files or push tokens to external endpoints, classify as malicious.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
▲ Clawdis
latest
Vercel CLI
Vercel CLI skill for deploying and managing Vercel projects from the terminal. Use when the user wants to deploy, list, inspect, rollback, or manage Vercel deployments; configure domains, SSL certificates, environment variables; manage teams or view usage; or needs help with vercel CLI commands.
Environment Setup
Install Vercel CLI:
pnpm i -g vercel
Update:
pnpm i -g vercel@latest
Verify Version:
vercel --version
Authentication
Interactive Login:
vercel login
CI/CD Environment (Recommended):
- Create an access token on the Tokens page
- Set the
VERCEL_TOKENenvironment variable
Prefer using the
VERCEL_TOKENenvironment variable over the--tokenflag to avoid exposing the token in process lists or logs.
Core Workflows
Deployment
vercel # Deploy to preview environment
vercel deploy --prod # Deploy to production environment
vercel build # Build locally
vercel dev # Develop locally simulating Vercel environment
Project Linking
vercel init # Initialize from official template
vercel link # Link local directory to Vercel project
vercel pull # Pull remote environment variables to local
Deployment Management
vercel list [project] # List recent deployments
vercel inspect [url/id] # View deployment details (add --logs for build logs)
vercel logs [url] # View runtime logs (--follow for real-time tracking)
vercel promote [url/id] # Promote specified deployment to production
vercel redeploy [url/id] # Rebuild and redeploy
vercel rollback # Rollback production environment
vercel remove [url] # Remove deployment or project
vercel bisect # Bisect to locate problematic deployment
Domains and Certificates
vercel alias set [url] [domain] # Set custom domain
vercel alias rm [domain] # Remove domain alias
vercel domains ls # List domains
vercel domains add [domain] # Add domain
vercel certs ls # List SSL certificates
vercel certs issue [domain] # Issue certificate for domain
Environment Variables
vercel env ls # List environment variables
vercel env add [name] [env] # Add (env optional: production/preview/development)
vercel env rm [name] [env] # Remove environment variable
vercel env pull [file] # Pull to local file
Account and Teams
vercel whoami # Current logged-in username
vercel teams list # List teams
vercel switch [team] # Switch team
vercel usage # View usage and billing
Advanced Tools
vercel api [endpoint] # Make authenticated API request (Beta)
vercel curl [path] # HTTP request (Beta)
vercel cache purge # Purge CDN cache
vercel blob # Vercel Blob storage operations
vercel integration # Manage integrations
vercel mcp # MCP client configuration
Key Notes
- Most commands support
--helpfor detailed parameters:vercel help [command] vercelis equivalent tovercel deploy--prod/--productionflag deploys to production environment--followforlogscommand enables real-time log tracking- Use
VERCEL_TOKENenvironment variable for automated authentication; do not expose token on the command line
Reference Documentation
- REST API: https://vercel.com/docs/rest-api
- Create Token: https://vercel.com/account/tokens
- See
references/commands.mdfor detailed command parameter descriptions
Comments
Loading comments...