Trust Assessment
vercel-deploy received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Project content uploaded to external Vercel service.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Project content uploaded to external Vercel service The skill is designed to package the user's entire project directory (excluding `node_modules` and `.git`) into a tarball and upload it to a third-party Vercel deployment service (`https://claude-skills-deploy.vercel.com/api/deploy`). This means all files within the project, including potentially sensitive configuration files, API keys, or private data not explicitly excluded, will be transmitted to an external endpoint. While this is the intended functionality for deployment, users should be fully aware of the scope of data being shared with a third-party. 1. Clearly document to the user that all project files (except `node_modules` and `.git`) are uploaded to a third-party service. 2. Consider adding more explicit default exclusions for common sensitive files (e.g., `.env`, `config.json`, `secrets.yaml`) or provide a mechanism for users to specify custom exclusions. 3. Ensure the `claude-skills-deploy.vercel.com` endpoint is secure and its data handling policies are transparent. | LLM | scripts/deploy.sh:174 |
Scan History
Embed Code
[](https://skillshield.io/report/0f79f4512273c0fa)
Powered by SkillShield