vercel-deploy
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Data Exposure & Exfiltration (SAFE): The skill packages and uploads project files to vercel.com. This behavior is expected and occurs over a trusted, whitelisted domain. The script specifically excludes .git and node_modules folders to prevent accidental exposure of version control history or unnecessary dependencies.
- Command Execution (SAFE): Uses standard, non-malicious shell commands (tar, curl, grep, find) to facilitate the deployment workflow. Input paths are handled using proper shell quoting to prevent basic command injection.
- Indirect Prompt Injection (SAFE): While the skill processes user-provided project files, it does not interpret instructions contained within them, serving only as a transport mechanism for deployment. There is no evidence of vulnerable prompt interpolation of untrusted data.
Audit Metadata