The Agent Skills Directory

Data Exfiltration (HIGH): The scripts/deploy.sh script packages the entire project directory (excluding .env and .git) into a compressed tarball and uploads it to https://codex-deploy-skills.vercel.sh/api/deploy. While intended for deployment, this sends potentially sensitive intellectual property to an unverified third-party proxy endpoint rather than the official Vercel API.
Evidence: RESPONSE=$(curl -s -X POST "$DEPLOY_ENDPOINT" -F "file=@$TARBALL" -F "framework=$FRAMEWORK") in scripts/deploy.sh.
Privilege Escalation (HIGH): The SKILL.md instructions explicitly direct the agent to bypass sandbox network restrictions by requesting sandbox_permissions=require_escalated. This pattern is used to circumvent security controls that would normally prevent unauthorized data exfiltration.
Evidence: "When sandboxing blocks the deployment network calls, rerun with sandbox_permissions=require_escalated."
Command Execution (MEDIUM): The skill relies on a local bash script that performs complex file system operations (mktemp, tar, find, mv) and network requests, providing a significant attack surface if the environment is compromised.
Indirect Prompt Injection (LOW): The script ingests and processes package.json content to detect frameworks. This is a vulnerability surface where a malicious project file could attempt to influence the script's behavior, although the current implementation uses basic grep matching.
Ingestion points: scripts/deploy.sh reads package.json and scans for .html files.
Boundary markers: None present; the script assumes the project files are trustworthy.
Capability inventory: The script has file read/write access via tar and mktemp, and network access via curl.
Sanitization: The script attempts to exclude .env files and .git directories from the archive, but still exfiltrates all other source code.

vercel-deploy