vercel-deploy

Based on the provided manifest/skill documentation alone, the tool's described behavior is consistent with a legitimate Vercel deployment helper: it packages a project, auto-detects framework, uploads to Vercel, and returns a preview and a claim URL. There is no direct evidence of obfuscation, hardcoded credentials, or malicious network destinations in the manifest. Primary risks: (1) Claim URLs are sensitive and should be treated as secrets — the skill should warn users and confirm intent prior to generating or exposing them; (2) The actual deploy.sh and upload implementation were not provided, so we cannot rule out hidden callbacks, exfiltration of environment variables, or non-Vercel endpoints. Review of the implementation is required before a high-assurance trust decision.