vercel-deploy

This skill implements an anonymous deploy helper that packages and uploads a project to produce preview/claim URLs. It is not overtly malicious in the provided manifest, but it presents moderate to high security risks: accidental exfiltration of secrets (due to minimal exclusion list), execution of local script code with broad filesystem access, lack of endpoint transparency, and guidance that encourages widening network egress. Recommendations: require/implement explicit exclusion of sensitive file patterns (.env, .netrc, *key, *.pem, secrets), prompt users to confirm inclusion of non-source files before upload, document exact upload endpoints and TLS/auth handling, avoid instructing users to add wildcard domains (prefer explicit hostnames), and avoid executing unreviewed scripts or run them in a strict sandbox. With mitigations, the functional behavior can be acceptable for general deployments; without them, use in sensitive environments is risky.