vercel-plugin-eval

The skill describes a live-eval workflow for vercel-plugin with automated session orchestration and log-based verification. While the documented goals (hook coverage, dedup validation, and coverage reporting) align with a testing/QA context, the footprint shows notable security concerns: unverifiable plugin installation from a GitHub URL, potential exposure of sensitive data via local logs, and execution of real CLI sessions that could be misused if prompt content is untrusted. The design choice to rely on local logs and ephemeral claim files is fragile from a security perspective and could enable data leakage if logs are exposed. Overall, the footprint is suspicious rather than benign, with multiple risk signals concentrated around supply-chain trust (unverifiable binary), data exposure (logs/claims), and potential command execution surfaces during prompt handling. I would categorize this as SUSPICIOUS with elevated security risk pending stricter controls (verifiable source, sandboxed sessions, redacted logs, explicit permission prompts).