vercel

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly shows piping a secret value into the CLI with printf ('printf 'value' | npx vercel env add'), which instructs embedding secret values verbatim in generated commands and thus risks exfiltration.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). Running commands like "npx vercel ..." fetches and executes the Vercel CLI from the npm registry (e.g. https://www.npmjs.com/package/vercel) at runtime, so external code is executed and is required for the skill to operate.