The Agent Skills Directory

[Security Downgrade] (HIGH): The skill explicitly disables 'Vercel Authentication' (ssoProtection) via the Vercel API after deployment. This is a critical security feature designed to protect deployments from unauthorized access. Disabling it via ssoProtection: null makes the deployment URL publicly accessible to anyone on the internet, potentially exposing sensitive preview builds.
[Credentials Handling] (HIGH): The skill requires the user to provide and export a VERCEL_TOKEN. This token grants programmatic access to the user's entire Vercel account. Storing and passing such tokens through environment variables and command-line arguments (via curl) in scripts that reduce security is a high-risk practice.
[Data Exfiltration] (MEDIUM): The script sends the VERCEL_TOKEN to api.vercel.com. While this is the legitimate Vercel API, it is not on the trusted domain whitelist, and its use here is to perform a security-lowering configuration change.
[Command Execution] (MEDIUM): The skill executes vercel CLI commands and curl with parameters derived from the local file system (folder names). While quoted, this establishes an ingestion surface for untrusted local data to influence external API calls.
[Indirect Prompt Injection] (LOW): The skill is vulnerable to indirect influence via folder names. If an attacker can control the name of the directory where this skill is executed, they can influence the PROJECT_NAME variable used in the Vercel API call.

vercel-deployment