vercel-automation

The manifest legitimately describes an automation skill for Vercel using a third-party MCP (rube.app). The primary security concern is centralized custody and forwarding of OAuth tokens and any secrets passed through the MCP. There is no direct evidence of code-level malware or obfuscation in the provided text, but the architecture enables credential capture and privileged account manipulation by the MCP operator or a compromised MCP. Recommendation: only use this skill if you fully trust and can audit the MCP operator; verify requested OAuth scopes, require least-privilege tokens, restrict the MCP to non-production accounts when possible, avoid sending sensitive secrets through the MCP, and demand clear token storage/retention and audit-log guarantees from the MCP. If these guarantees cannot be obtained, treat the integration as too risky for sensitive Vercel resources.