deploy-to-vercel

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill includes an explicit fallback that packages and uploads the user's project tarball to an external endpoint (https://codex-deploy-skills.vercel.sh) and even advises escalating sandbox network permissions to perform the upload, which is deliberate data exfiltration of user project contents (potentially including sensitive information) to a third-party service — an intentional and high-risk behavior.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly sends project packages to the public deploy endpoint (https://codex-deploy-skills.vercel.sh/api/deploy) and uses both the endpoint's JSON response and the deployed site's responses (the preview URL polled by resources/deploy-codex.sh) and vercel CLI JSON (vercel ls --format json) as part of its required workflow to decide deployment status and next actions, which exposes it to untrusted/user-generated third-party content that can influence behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The deploy script calls the runtime endpoint https://codex-deploy-skills.vercel.sh/api/deploy to upload a project tarball and trigger remote build/deploy actions (executing code on that remote service) as a required no‑auth fallback, which constitutes remote code execution at runtime.