Vercel Deploy
v1.0.0Deploy and manage Vercel projects. Use when deploying applications to Vercel, managing environment variables, checking deployment status, viewing logs, or performing Vercel operations. Supports production and preview deployments. Practical infrastructure operations - no "AI will build your app" magic.
⭐ 1· 4.5k·44 current·44 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the included scripts (deploy/env/status) coherently implement a Vercel deployment helper. However the registry metadata declares no required environment variables or primary credential while the SKILL.md and all scripts require VERCEL_TOKEN — a metadata vs implementation mismatch. The SKILL.md/README also reference a scripts/vercel_logs.sh that is not present in the file manifest, which is an operational inconsistency.
Instruction Scope
Runtime instructions are narrowly scoped to Vercel operations (deployments, env vars, status/logs) and do not request unrelated data. But instructions and scripts recommend persisting VERCEL_TOKEN in shell startup files and the scripts pass the token using the --token CLI flag. Passing tokens on the command line can expose them via process lists on multi-user systems; persisting in ~/.bashrc also increases risk if the machine is shared or backed up to remote storage.
Install Mechanism
No install spec is provided (instruction-only), which minimizes install-time risk. The scripts invoke npx to run the Vercel CLI; npx will fetch packages from the npm registry on first run, which is expected for a CLI-based deployer but still means remote code will be executed at runtime. There are no downloads from arbitrary URLs or other high-risk install behaviors.
Credentials
Only one credential is actually required (VERCEL_TOKEN), which is proportionate for a Vercel deploy tool. However the registry metadata does not declare this requirement (incoherent). Also the token handling (CLI flag + encouraging echo into .bashrc) increases the chance of accidental exposure; the skill should explicitly document safer alternatives (use project-scoped tokens, avoid command-line args, prefer ephemeral CI secrets or OS-level secret stores).
Persistence & Privilege
The skill is not marked always:true and does not request system-wide privileges or modify other skills' configurations. The documentation suggests user actions to persist the token in shell profiles (which would be a user-initiated change), but the skill itself does not claim elevated or permanent privileges.
What to consider before installing
This skill appears to implement legitimate Vercel deployment helpers, but review a few points before installing:
- The code expects VERCEL_TOKEN but the registry metadata does not declare it — assume you must provide a Vercel token. Prefer project-scoped tokens and rotate them regularly.
- The scripts pass the token via the --token command-line flag and README suggests echoing the token into ~/.bashrc. Both approaches risk exposing the token (process lists, backups). Consider editing the scripts to rely on the VERCEL_TOKEN environment variable without passing it as a CLI argument, or store the token in a secure secret manager.
- The SKILL.md/README reference scripts/vercel_logs.sh, but that file is not present. Expect runtime errors if an agent attempts to run log commands as documented.
- npx will fetch and run the Vercel CLI from npm on first use — that is expected, but be aware it executes remote code.
If you plan to install: inspect the three included scripts locally, remove the CLI --token argument if you prefer env-only usage, and run in a controlled environment (non-shared machine or ephemeral CI) until you're comfortable. If you need higher assurance, ask the author for corrected registry metadata and the missing vercel_logs.sh, or adapt the scripts to avoid exposing the token on the command line.Like a lobster shell, security has layers — review code before you run it.
latestvk9734qgqtxp5ez7v8esx8qwhrx80jyjv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.