vercel-to-cloudflare-migrator
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and executes the vinext utility from Cloudflare's official registry using npx for project compatibility checks. As Cloudflare is a trusted vendor, this behavior is considered safe.
- [DATA_EXFILTRATION]: The skill retrieves billing data from the Vercel API using a user-provided token. It contains strict instructions to redact PII, including names, addresses, and payment identifiers, before writing any data to persistent storage or pull requests.
- [PROMPT_INJECTION]: The skill addresses potential indirect prompt injection by treating data from external pricing pages as untrusted. It implements a mandatory evidence chain for parsing: it ingest data via WebFetch, uses explicit boundary instructions to ignore imperative text, restricts output to numeric values, and validates against a known schema.
- [COMMAND_EXECUTION]: The skill uses wrangler and the GitHub CLI (gh) to provision resources and create draft pull requests. These operations are performed with user confirmation and follow best practices, such as avoiding destructive delete operations and ensuring secrets do not appear in logs or command arguments.
Audit Metadata