vercel-deploy

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill returns and displays a claim URL containing a code/token (a secret-like value) that the agent is expected to output verbatim to the user, creating an exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The script deliberately packages and uploads the user's project (excluding only node_modules and .git) to a third-party deployment endpoint (claude-skills-deploy.vercel.com) without authentication or explicit consent, which constitutes unauthorized data exfiltration of potentially sensitive files (envs, keys, secrets) and enables misuse of the code—this is a high-risk malicious pattern.