Trust Assessment
vercel-cli-with-tokens received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 3 critical, 1 high, 2 medium, and 0 low severity. Key findings include File read + network send exfiltration, Sensitive path access: Environment file, Command Injection via Git Commit Message.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 11/100, indicating areas for improvement.
Last analyzed on May 1, 2026 (commit ce3e64e4). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration .env file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/vercel-cli-with-tokens/SKILL.md:237 | |
| CRITICAL | Command Injection via Git Commit Message The skill instructs the agent to construct a `git commit` command where the commit message includes `<description of changes>`. If this description is derived from untrusted user input without proper sanitization, an attacker could inject arbitrary shell commands by including special characters (e.g., backticks, semicolons, newlines) within the description. This could lead to arbitrary code execution on the host system. When constructing `git commit` messages from user input, ensure the input is properly sanitized or escaped to prevent shell command injection. Consider using a programmatic Git library if available, which often handles such escaping automatically. | Static | SKILL.md:130 | |
| CRITICAL | Command Injection via Git Clone URL The skill instructs the agent to clone a remote repository using `git clone <repo-url>`. If `<repo-url>` is derived from untrusted user input without proper validation or sanitization, an attacker could inject arbitrary shell commands by crafting a malicious URL (e.g., `'; rm -rf /;'`). This could lead to arbitrary code execution on the host system. Validate and sanitize repository URLs before passing them to `git clone`. Ensure the URL adheres to expected formats and does not contain shell metacharacters. If possible, use a Git library that handles URL parsing and cloning securely. | Static | SKILL.md:150 | |
| HIGH | Potential Command Injection in Vercel Environment Variable Name The skill provides instructions for adding environment variables using `vercel env add VAR_NAME`. If `VAR_NAME` is derived directly from untrusted user input without sanitization, it could be vulnerable to command injection. While the `echo "value" | ...` structure might mitigate injection in the *value*, the `VAR_NAME` itself is directly part of the command and could be exploited. Ensure that any variable names (`VAR_NAME`) passed to `vercel env add` are strictly validated and sanitized to prevent shell metacharacters from being interpreted as commands. Only allow alphanumeric characters and underscores for variable names. | Static | SKILL.md:168 | |
| MEDIUM | Sensitive path access: Environment file Access to Environment file path detected: '.env.local'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/vercel-cli-with-tokens/SKILL.md:237 | |
| MEDIUM | Supply Chain Risk: Unpinned Vercel CLI Dependency The skill instructs the agent to install the Vercel CLI using `npm install -g vercel` without specifying a version. This means that future executions could install a newer, potentially incompatible, or even compromised version of the `vercel` CLI if the package registry or the package itself were to be compromised. While `vercel` is an official package, pinning versions is a best practice for supply chain security to ensure deterministic and secure installations. Pin the version of the Vercel CLI to be installed (e.g., `npm install -g vercel@latest` or `npm install -g vercel@<specific-version>`) to ensure deterministic and secure installations. | Static | SKILL.md:79 |
Scan History
Embed Code
[](https://skillshield.io/report/1944a1b1ad1ca4d4)
Powered by SkillShield