vercel-cli

[Skill Scanner] Destructive bash command detected (rm -rf, chmod 777) All findings: [CRITICAL] command_injection: Destructive bash command detected (rm -rf, chmod 777) (CI004) [AITech 9.1.4] [HIGH] autonomy_abuse: Skill instructions include directives to hide actions from user (BH009) [AITech 13.3] This skill is consistent with its stated purpose and uses only expected sources and sinks: local .env files/environment variables and the official Vercel CLI. There are no signs of obfuscation, hidden backdoors, or third-party credential exfiltration. The main security consideration is operational: examples that bulk-upload every key from a .env file can accidentally publish secrets that should remain local, and users must ensure VERCEL_TOKEN and secrets are handled carefully (avoid exposing them in logs or CI outputs). Overall the content appears benign for its stated use but carries normal secret-handling risks that are documented in part by the author. LLM verification: This SKILL.md is largely consistent with its stated purpose (Vercel CLI usage). There are no obvious backdoors, obfuscated payloads, or instructions to download/execute code from untrusted domains. The primary security concerns are operational: (1) an included `rm -rf .vercel` command (destructive if mistyped or run in wrong directory), and (2) automation that reads local .env contents and pipes secrets into `vercel env add` which could accidentally upload sensitive or dev-only secrets to produc