The Agent Skills Directory

[DATA_EXFILTRATION]: The script scripts/deploy.sh archives the project directory and uploads the resulting tarball to an external endpoint (https://claude-skills-deploy.vercel.com/api/deploy). This endpoint is an unofficial application and is not a part of the official Vercel API infrastructure.
[DATA_EXFILTRATION]: The archiving process excludes node_modules and .git but includes all other project files by default. This poses a significant security risk as sensitive configuration files such as .env, which often contain private keys, database strings, and API credentials, are transmitted to an external server controlled by the skill author.
[COMMAND_EXECUTION]: The skill executes local shell commands including tar to package files and curl to transmit project data to a remote server.
[PROMPT_INJECTION]: The skill's SKILL.md metadata contains deceptive information claiming the author is "vercel," while the .author and _meta.json files reveal the true author is "sharanga10." This impersonation is a social engineering tactic that may mislead users into trusting the skill with private source code and secrets.

vercel-deploy