Shell execution without sandboxing
Vettd coreOWASP LLM06Detected in lib/vercel.mjs:1 — `// Vercel CLI helpers. All shell-outs use execFile (not exec) — no shell injection. Error detection: exit code + JSON-pa`
Use for Vercel cost and performance optimization on deployed projects, especially Next.js, SvelteKit, Nuxt, and limited Astro apps. Collect Vercel metrics, usage, project config, and code scan results first; investigate only metric-backed candidates; produce ranked recommendations grounded in verified files and version-aware Vercel/framework docs. Trigger for Vercel bill reduction, slow or expensive routes, caching opportunities, Function Invocations, Build Minutes, Fast Data Transfer, Core Web Vitals, Bot Management, Fluid compute, or cost breakdown requests.
This skill includes a SKILL.md descriptor and ships with reference documentation and scripts. Security observations: unsandboxed shell execution, a safety bypass flag, and references external URL.
Vettd Verdict
The overall verdict combines pass, warning, and failure signals across our checks. Click to see how each check is computed.Skill failed: 3 hard fails in security or structure checks.
Link points to the repository’s default branch (current HEAD). Certification reflects the state of the repo on Jun 2, 2026. Scanned at 4ec6f84b.
security
/ coming soon
/ coming soon
/ coming soon
/ coming soon
Detected in lib/sanitizers/undeclared-dep.mjs:10 — `'dns', 'tls', 'util', 'url', 'stream', 'buffer', 'events', 'process', 'child_process',`
Detected in lib/vercel.mjs:1 — `// Vercel CLI helpers. All shell-outs use execFile (not exec) — no shell injection. Error detection: exit code + JSON-pa`
Detected in lib/verify-claim.mjs:4 — `import { execFile } from 'node:child_process';`
External URL(s) detected in references/candidates.md — referenced content can change after audit
Detected in lib/scanners/turbo-force-bypass.mjs:5 — `// force-flag — `TURBO_FORCE=true` env var or `turbo run ... --force` in build script`
Detected in scripts/merge-signals.mjs:18 — `console.error('usage: node scripts/merge-signals.mjs <signals.json> <codebase.json> [--out merged.json] [--force]');`
Detected in scripts/prepare-investigation-brief.mjs:208 — `else if (a === '--force') out.force = true;`
Scanned text content for instruction override, jailbreak framing, credential solicitation, and embedded injection markers
No repository field found in SKILL.md frontmatter. Skills without a verifiable source repository cannot be externally audited.
best practices
Found code blocks, input/output samples, or an examples section — concrete samples help agents pattern-match effectively
SKILL.md body references files in references/, scripts/, or assets/ — agents can load additional context on demand instead of consuming everything upfront
316 lines (recommended: under 500)
Structured procedures improve reliability for complex tasks
description
Good: description explains when to activate the skill
566/1024 characters used
evals
Add an evals/ directory with test prompts and expected outputs to measure skill quality
scripts
Agents run in non-interactive shells — replace prompts with CLI flags or stdin
Add argument parsing with --help output so agents know the script's interface
Add argument parsing with --help output so agents know the script's interface
Add argument parsing with --help output so agents know the script's interface
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
Script documents its interface via --help or argument parsing
Uses JSON/CSV output which is easily parseable by agents
structure
Additional documentation files available for progressive disclosure
Bundled executable scripts found
Required skill definition file found
Name "vercel-optimize" follows spec (lowercase, hyphens, ≤64 chars)