Vercel Speed Audit

Optimize Vercel build and deploy speed — audit checklist for new and existing projects.

This is a documentation-only audit tool and appears coherent with its purpose. Before using: - Be careful with commands that change remote state: `vercel deploy`, `vercel deploy --prebuilt`, and `vercel rollback` will modify deployments when run with valid tokens. - Store any Vercel tokens (VERCEL_TOKEN) as least-privileged CI secrets and only add them to trusted workflows; do not paste tokens into chat or public places. - Review any CI workflow YAMLs before applying them to your repository (concurrency, artifact sizes, and `vercel pull` behavior are documented here). The provided GitHub Actions examples assume you have deploy permissions for the project/org. - The skill’s suggested scripts that read git diffs or write `.vercel` files operate on your repo; audit those scripts before enabling them in production to avoid unintentional skips or exposure of environment files. - Because this is instruction-only (no code installed by the skill), nothing will run automatically on your machine just by installing the skill — however, if you give a process a Vercel token or run the provided commands in CI, they can deploy/rollback. Ensure credentials and permissions are controlled accordingly.

Type: OpenClaw Skill Name: vercel-speed-audit Version: 1.0.0 The skill bundle provides comprehensive documentation and instructions for optimizing Vercel deployments, including the use of Vercel CLI commands and GitHub Actions workflows. While the content is educational and benign in intent, it involves powerful commands such as `vercel deploy`, `vercel build`, and `vercel env add`. These commands interact directly with cloud infrastructure and sensitive credentials (Vercel API tokens, even when handled as GitHub secrets). If an AI agent were to execute these commands without robust sandboxing, explicit user confirmation, and stringent input validation, there is a significant risk of unintended deployments, configuration changes, or potential misuse of credentials if the agent's prompt handling or execution environment is compromised. There is no evidence of intentional malicious behavior like data exfiltration, backdoors, or obfuscation within the provided files.