vercel-deploy

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The fallback deployment script (scripts/deploy.sh), invoked per the SKILL.md fallback workflow, POSTS the user project to the external endpoint https://codex-deploy-skills.vercel.sh/api/deploy, parses the returned JSON (previewUrl/claimUrl) and then polls the returned previewUrl via curl to decide deployment readiness—thus ingesting and acting on untrusted, user-generated web content that can influence control flow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly instructs the agent to request escalated sandbox permissions (sandbox_permissions=require_escalated) to bypass sandboxed networking and rerun deployment commands (and runs local deploy scripts), which asks the agent to bypass security mechanisms and potentially modify the machine state.