Vercel Platform

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Vercel CLI reference skill, but users should be careful because some documented commands can change production deployments, delete resources, buy domains, or expose environment data.

Install only if you want an agent to help with Vercel CLI operations. Before allowing commands that deploy to production, delete projects or deployments, modify domains or aliases, buy domains, pull environment variables, view logs, use tokens, or skip prompts with --yes, verify the active Vercel account/team and approve the exact target and command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill documents multiple sensitive and destructive Vercel operations such as deleting projects or deployments, modifying domains, pulling environment variables, and promoting or rolling back releases without any safety guidance, confirmation advice, or warnings about production impact. In an agent skill context, this increases the chance that an automated system may invoke high-impact commands on live infrastructure based on ambiguous user requests.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: vercel redeploy <deployment-url-or-id> ``` #### `vercel rm <id>` / `vercel remove` Remove a deployment. ```bash
Confidence: 87% confidence
Finding: rm <id>` /

VirusTotal

47/47 vendors flagged this skill as clean.

View on VirusTotal