vercel-to-createos
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes untrusted repository files to derive build and deployment configurations.
- Ingestion points: The skill reads vercel.json, package.json, next.config.js, .nvmrc, and .env* files.
- Boundary markers: No delimiters or protective instructions are provided to separate file content from the agent's internal logic.
- Capability inventory: The skill calls high-privilege MCP tools such as CreateProject, UpdateProjectEnvironmentEnvironmentVariables, TriggerLatestDeployment, and CreateDomain.
- Sanitization: No validation or sanitization of data extracted from project files is performed before its use in tool calls.
- [DATA_EXFILTRATION]: The skill handles the migration of potentially sensitive environment variables. While it includes mitigations such as instructing the agent not to log secrets and advising the user to provide values directly to the tool, the workflow involves the agent processing secret names and values during the migration process.
- [PROMPT_INJECTION]: The skill's description and activation triggers reference a fictional 'April 2026 Vercel security incident.' Using hallucinated or deceptive events to influence agent behavior and skill activation constitutes a form of prompt manipulation via metadata.
Audit Metadata