vercel-deploy
Deploy applications and websites to Vercel. Use when the user requests deployment actions like "deploy my app", "deploy and give me the link", "push this live", or "create a preview deployment". Do NOT use for deploying to Netlify, Cloudflare, or Render (use their respective skills).
85
81%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.70). The skill's fallback script (scripts/deploy.sh) posts the user project to a remote deploy endpoint (https://deploy-skills.vercel.sh/api/deploy), ingests its JSON response (previewUrl/claimUrl), and then polls the returned preview URL (curl) as part of the deployment workflow, which clearly fetches and acts on untrusted, user-provided third-party content.
W013: Attempt to modify system services in skill instructions
What this means
The skill prompts the agent to compromise the security or integrity of the user’s machine by modifying system-level services or configurations, such as obtaining elevated privileges, altering startup scripts, or changing system-wide settings.
Why it was flagged
Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs rerunning with sandbox_permissions=require_escalated and asking to grant escalated network permissions, which advocates bypassing sandbox security controls and thus compromises the machine's security boundary.
- Repository
- tech-leads-club/agent-skills
- Commit
906a57d
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.