vercel-deploy

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill deliberately packages and uploads the user's project to an external, non‑official endpoint (https://codex-deploy-skills.vercel.sh) and even instructs requesting escalated network permissions to bypass sandboxing, which enables unauthorized data exfiltration and potential takeover of deployments (it does not contain obfuscated payloads or explicit remote‑exec/backdoor code, but the upload + permission escalation is a high‑risk intentional behavior).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's deploy script (scripts/deploy.sh) posts the project to a third-party endpoint and then curls/polls the returned preview URL (PREVIEW_URL) — i.e., it fetches and interprets HTTP responses from arbitrary user-deployed public sites — so untrusted third-party content can influence the agent's workflow.