Skills
skills/sundial-org/awesome-openclaw-skills/vercel-deploy/Gen Agent Trust Hub

vercel-deploy

Warn

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXPOSURE_AND_EXFILTRATION]: The skill packages local directory content and transmits it to a remote API endpoint at claude-skills-deploy.vercel.com for deployment.
  • The deploy.sh script archives the target directory using tar but only explicitly excludes node_modules and .git folders.
  • Files containing sensitive information, such as .env, .aws/credentials, or private keys located within the project directory, are included in the upload by default.
  • Although the destination is a well-known service domain, the transmission of project source code occurs without per-user authentication or a manifest check of the files being sent.
  • [COMMAND_EXECUTION]: The script performs several filesystem and network operations that modify state and interact with external servers.
  • It uses tar to create project archives for transport.
  • It uses curl to perform multipart/form-data POST requests to an external endpoint.
  • It uses mv to rename files in the user's project directory (e.g., renaming single HTML files to index.html) without creating backups or prompting for user confirmation.
  • [METADATA_POISONING]: There is a discrepancy between the author field in the skill metadata (author: vercel) and the organization publishing the skill (sundial-org). This can lead to user confusion regarding the origin and trustworthiness of the deployment script.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 23, 2026, 06:00 PM