vercel-deploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill returns and displays a claim URL containing a code/token (a secret-like value) that the agent is expected to output verbatim to the user, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The script is not obfuscated and contains no remote-exec/backdoor code, but it uploads the entire user project tarball (excluding only node_modules and .git) to an external endpoint (claude-skills-deploy.vercel.com), which can exfiltrate sensitive files (env vars, tokens, credentials) without explicit safeguards or authentication — high risk for data exfiltration.