Vercel Platform
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vercel Version: 1.0.1 The skill bundle provides a comprehensive interface to the Vercel CLI, documenting its commands and options. The `SKILL.md` file contains instructions for fetching Vercel documentation using `curl` from `vercel.com` and lists various `vercel` CLI commands for deployments, project management, environment variables, and domains. All documented actions are legitimate operations for interacting with the Vercel platform and its documentation. There is no evidence of prompt injection attempts, data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or obfuscation. The skill's behavior is clearly aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the wrong command could change production deployments, remove resources, or incur account costs.
The CLI reference includes commands that can deploy to production, delete Vercel resources, or purchase domains. These are purpose-aligned for a Vercel management skill, but they are high-impact operations.
`vercel --prod`; `vercel projects remove <name>`; `vercel domains buy <domain>`; `vercel rm <deployment-url-or-id>`
Confirm the target project, team, deployment, and domain before production, deletion, purchase, promote, rollback, or `--yes` operations.
Actions may affect whichever Vercel account, team, or token scope is active.
The skill documents using Vercel account login, team scope switching, and token-based authentication. This is expected for Vercel management but means commands can run with the user's Vercel account privileges.
`vercel login [email]`; `vercel switch [scope]`; `-t, --token <TOKEN>`
Check `vercel whoami` and the active team/scope before making changes, and use least-privilege tokens when tokens are needed.
Secrets or sensitive logs could be exposed in local files or conversation context if the commands are used carelessly.
The documented commands can retrieve environment variables, project settings, and runtime logs into the local workspace or agent context. This is purpose-aligned, but those materials may contain secrets or sensitive operational data.
`vercel pull` — Pull project settings and env vars from cloud; `vercel env pull [filename]` — pull to `.env.local`; `vercel logs <url|id>`
Only pull or display environment variables and logs when necessary, avoid sharing secrets in chat, and keep `.env.local` protected and excluded from source control.
Users have less external provenance to verify that the CLI reference is maintained by an official or trusted source.
The skill has limited provenance information, although the artifacts show no code files or installer to execute.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Cross-check important commands against official Vercel documentation or `vercel --help` before high-impact use.