vercel-deploy

[Skill Scanner] Download or install from free hosting/deployment platform detected All findings: [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] [HIGH] supply_chain: Download or install from free hosting/deployment platform detected (SC007) [AITech 9.1.4] This skill’s purpose (packaging a project, auto-detecting framework, uploading to create a Vercel preview and a claim URL) is plausible and internally consistent at a high level. However, the documentation omits the actual implementation details for the critical network step (scripts/deploy.sh): specifically which endpoints are contacted, whether uploads go directly to vercel.com or pass through an intermediary, and whether the deploy process strips sensitive files (e.g., .env). The combination of “No authentication required” and returning claim URLs means users must trust the deploy endpoint with full project sources and any secrets inside. Without the deploy script or network endpoint evidence, this raises a moderate supply-chain/privacy risk. Recommendation: treat as SUSPICIOUS until the deploy.sh source is reviewed to verify uploads go directly to official Vercel APIs (HTTPS to vercel.com), that sensitive files are excluded or explicitly warned about, and that renames are only applied to packaged copies rather than in-place. LLM verification: The documented skill performs a legitimate deployment function but presents supply-chain and data-exfiltration risks because the deploy script implementation is absent from the review artifact. The ability to read arbitrary files under a provided path and upload them over the network without explicit user confirmation or documented secret handling could leak sensitive information. Before trusting or enabling this skill, inspect the deploy.sh implementation to confirm it communicates directly wit