Trust Assessment
vercel-deploy received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Untrusted content attempts to manipulate host LLM behavior.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Untrusted content attempts to manipulate host LLM behavior The skill's `SKILL.md` contains direct instructions to the host LLM, such as "Always deploy as preview (not production)", "Use a 10 minute (600000ms) timeout", "Tell the user:", and "rerun the deploy with escalated permissions (use `sandbox_permissions=require_escalated`)". These instructions are embedded within untrusted input delimiters and attempt to dictate the LLM's operational parameters and conversational responses, which constitutes a prompt injection. Remove all direct instructions to the host LLM from the untrusted `SKILL.md` content. LLM behavior should be controlled by trusted system prompts or tool definitions, not by untrusted skill descriptions. | LLM | SKILL.md:3 | |
| HIGH | Broad project data sent to external deployment service The `scripts/deploy.sh` script archives the entire project directory (excluding `.git`, `node_modules`, `.env`, `.env.*`) and sends it to an external Vercel endpoint (`https://codex-deploy-skills.vercel.sh/api/deploy`). While deployment inherently involves sending project files, the broad scope of `tar -cf - .` means that any sensitive files not explicitly excluded (e.g., `secrets.json`, `config.yaml` with API keys, private SSH keys if present in the project directory) could be exfiltrated to the third-party service without explicit user awareness or consent for these specific files. Implement a more granular approach to file inclusion for deployment, or provide clear warnings to the user about the full scope of data being sent. Consider allowing users to specify additional exclusion patterns or explicitly listing included file types. | LLM | scripts/deploy.sh:70 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/f2a6892eb7d84620)
Powered by SkillShield