vercel-deploy

This skill performs a legitimate deployment function (package & upload static site to Vercel) but carries a medium security risk primarily due to potential accidental data exposure. The biggest issues are lack of safeguards to prevent packaging sensitive files, absence of an explicit confirmation/dry-run step to inspect archive contents, and the practice of instructing users to run an included bash script whose contents are not shown. There is no direct evidence of intentional malware in the described text, but the unseen deploy.sh is the key unknown and should be audited before execution. Recommend: require interactive confirmation of files to upload, implement whitelist/blacklist scanning for common secret files, show the exact endpoint and TLS policy, and publish the deploy.sh contents for review.