vercel-deploy-claimable

Fail

Audited by Snyk on Jun 18, 2026

Risk Level: CRITICAL
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill returns and instructs the agent to display a Claim URL (and JSON claimUrl field) that contains a transfer code/token, which requires the model to output that secret-like value verbatim and thus poses exfiltration risk.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The script intentionally uploads the user's project tarball to an external deploy endpoint (DEPLOY_ENDPOINT) without authentication and with minimal exclusions (only node_modules and .git), which enables straightforward data exfiltration of source code and sensitive files (e.g., .env) and can be abused to publish or transfer others' projects via the returned claim URL.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 18, 2026, 10:13 PM
Issues
2
Security Audit — snyk — vercel-deploy-claimable