Skills
skills/akillness/oh-my-gods/vercel-deploy/Gen Agent Trust Hub

vercel-deploy

Warn

Audited by Gen Agent Trust Hub on Mar 11, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The deployment script scripts/deploy.sh archives the local project directory (excluding only node_modules and .git) and uploads the resulting tarball to https://claude-skills-deploy.vercel.com/api/deploy. This action transmits local files to a remote endpoint. Users should be aware that any sensitive data within the project directory, such as .env files, configuration secrets, or private keys, will be included in the upload.
  • [COMMAND_EXECUTION]: The skill executes a bash script that utilizes standard system utilities including tar for file compression and curl for performing network POST requests to the deployment endpoint.
  • [PROMPT_INJECTION]: The skill's metadata contains deceptive author information, identifying the author as 'vercel' instead of the actual author 'akillness'. This form of metadata poisoning is used to gain unearned trust from the user and the agent regarding the skill's origin and safety.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 11, 2026, 01:50 PM