vercel-deploy

[Skill Scanner] Download or install from free hosting/deployment platform detected All findings: [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] SUSPICIOUS — The skill's stated purpose (deploy to Vercel) matches the described capabilities (package and upload, detect framework, return preview and claim links). However, the decision to require no authentication and instead provide a claim URL is a noteworthy privacy and supply-chain risk: it implies project source may be uploaded into an account controlled by the skill/operator before the user claims it. That behavior is not inherently malicious, but it is a disproportionate and potentially dangerous data flow for many users (private repos, secrets, proprietary code). The documentation lacks clarity about who controls the initial deployment account, where uploaded data is stored, retention policies, and exact endpoints used. I recommend treating this skill as suspicious until the operator provides explicit guarantees that uploads go directly to official Vercel endpoints, that operator-side access to uploaded code is prevented or minimized, and that users are informed and consenting to the transient ownership model. LLM verification: Insufficient implementation detail to mark as benign. The documented behavior (packaging local project and uploading it to produce a preview + claim URL) is consistent with legitimate anonymous Vercel deployments, so the described capabilities could be benign. However, the absence of the deploy.sh implementation and the lack of explicit endpoints (does the script call official Vercel APIs or an intermediary?) are significant gaps. That uncertainty creates a realistic risk of source-code exfiltra