vercel-github-actions-deploy

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] The workflow reliably achieves its goal: enabling teammates to trigger Vercel production deploys on a Hobby account by impersonating the account owner within the ephemeral CI runner and running vercel CLI with an owner token. There is no sign of obfuscated or exfiltration-oriented code in the provided files. However, the pattern raises significant security and governance concerns: impersonation undermines auditability, repository-level secrets concentrate high privileges, and misuse or misconfiguration can expose tokens. Treat this as a moderate security risk that may be acceptable only with explicit organizational approval, strict token scoping and rotation, and tightened repository/Actions policies. LLM verification: No clear signs of malware or remote credential-harvesting proxies are present. The workflow and documentation are consistent with the stated goal: using an account-owner identity and Vercel token in CI to make Vercel accept deploys from any teammate. However, the core technique (overriding commit author in the runner) is an impersonation vector that can be abused to hide who triggered a production deploy and thus is a significant operational/security risk. If an organization accepts this pattern