registry  /  vercel  /  56.1.0

vercel@56.1.0

The command-line interface for Vercel

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `vercel agent init` (or `vercel agent`) and confirms, or supplies `--yes`.
Impact
Adds or updates Vercel-authored best-practice instructions that may influence AI coding agents in that project.
Mechanism
Explicit project-local AGENTS/CLAUDE instruction-file mutation.
Rationale
Not malicious: inspected source shows no lifecycle-triggered or unconsented attack chain. Warn because an explicit CLI command can alter AI-agent instruction files and thereby influence agent behavior.
Evidence
package.jsondist/vc.jsdist/index.jsdist/commands-bulk.jsdist/get-latest-worker.cjsdist/chunks/chunk-W346YNDN.jsAGENTS.mdCLAUDE.md

Decision evidence

public snapshot
AI called this Suspicious at 94.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/commands-bulk.js` implements `vercel agent init`, which writes Vercel guidance into `AGENTS.md` or `CLAUDE.md` in the current project.
  • The command can overwrite its marked section or append/create the agent instruction file.
  • `dist/index.js` dispatches `agent` only when the user invokes that CLI subcommand.
Evidence against
  • `package.json` has no `preinstall`, `install`, or `postinstall` lifecycle hook.
  • `agent init` requires an interactive confirmation or explicit `--yes` when stdin is non-interactive.
  • Writes are limited to the current project instruction file; no stealth persistence or foreign global agent configuration was found.
  • No credential harvesting, payload download, or exfiltration chain was confirmed in inspected files.
  • `dist/vc.js` only optionally launches a package-aligned native CLI binary, then loads the JS CLI.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 127 file(s), 7.36 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, api.example.com, api.vercel.com, backend.internal, bitbucket.org, codeload.github.com, cursor.sh, dogs.are.great, err.sh, example.com, example.vercel.app, examples.vercel.sh, feross.org, fetch.spec.whatwg.org, gist.githubusercontent.com, github.com, gitlab.com, internal.example.com, mcp.vercel.com, mimesniff.spec.whatwg.org, mozilla.github.io, my-app-xxxxx.vercel.app, new-api.example.com, now.sh, openapi-internal.vercel.sh, openapi.vercel.sh, raw.githubusercontent.com, registry.npmjs.org, sites.google.com, stackoverflow.com, telemetry.vercel.com, tools.ietf.org, vercel.com, vercel.link, w3c.github.io, websockets.spec.whatwg.org, www.example.com, www.w3.org, your-project-abc123.vercel.app
Oversized source lightweight scan
dist/chunks/chunk-TLHKETA6.js2.38 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalShellDynamicRequireHighEntropyStringsUrlStringsbitbucket.orgfeross.orggithub.comgitlab.comstackoverflow.comtools.ietf.orgvercel.comvercel.linkwww.w3.org

Source & flagged code

12 flagged · loading source
dist/vc.jsView file
17// release flow to publish natives before vercel, activating this path. L18: import { spawnSync } from 'node:child_process'; L19: import { createRequire } from 'node:module';
High
Child Process

Package source references child process execution.

dist/vc.jsView on unpkg · L17
dist/commands-bulk.jsView file
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L482: import { L483: require_execa L484: } from "./chunks/chunk-24FCBXI4.js"; ... L1061: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1062: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1063: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1152: telemetry2.trackCliFlagHelp("agent"); L1153: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1154: return 2;
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/commands-bulk.jsView on unpkg · L2
2Trigger-reachable chain: manifest.bin -> dist/vc.js -> dist/index.js -> dist/commands-bulk.js L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L482: import { L483: require_execa L484: } from "./chunks/chunk-24FCBXI4.js"; ... L1061: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1062: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1063: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1152: telemetry2.trackCliFlagHelp("agent"); L1153: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1154: return 2;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/commands-bulk.jsView on unpkg · L2
482import { L483: require_execa L484: } from "./chunks/chunk-24FCBXI4.js";
High
Shell

Package source references shell execution.

dist/commands-bulk.jsView on unpkg · L482
7103); L7104: const testUrl = `https://${deployment.url}${subpath}`; L7105: output_manager_default.log(`${import_chalk26.default.bold("Deployment URL:")} ${link_default(testUrl)}`); ... L7114: if (run3) { L7115: const proc = await (0, import_execa.default)(run3, [testUrl], { L7116: stdio: "inherit", ... L7118: env: { L7119: ...process.env, L7120: HOST: deployment.url,
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/commands-bulk.jsView on unpkg · L7103
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L482: import { L483: require_execa L484: } from "./chunks/chunk-24FCBXI4.js"; ... L1061: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1062: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1063: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1152: telemetry2.trackCliFlagHelp("agent"); L1153: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1154: return 2;
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/commands-bulk.jsView on unpkg · L2
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L482: import { L483: require_execa L484: } from "./chunks/chunk-24FCBXI4.js"; ... L1061: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1062: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1063: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1152: telemetry2.trackCliFlagHelp("agent"); L1153: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1154: return 2;
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/commands-bulk.jsView on unpkg · L2
2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L482: import { L483: require_execa L484: } from "./chunks/chunk-24FCBXI4.js"; ... L1061: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L1062: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L1063: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L1152: telemetry2.trackCliFlagHelp("agent"); L1153: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L1154: return 2;
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/commands-bulk.jsView on unpkg · L2
dist/get-latest-worker.cjsView file
16L17: const { mkdirSync, writeFileSync } = require('fs'); L18: const { access, mkdir, readFile, unlink, writeFile } = require('fs/promises');
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/get-latest-worker.cjsView on unpkg · L16
dist/index.jsView file
2Cross-file remote execution chain: dist/index.js spawns dist/commands-bulk.js; helper contains network access plus dynamic code execution. L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L118: if (stream == null) L119: stream = process.stdout; L120: if (callback == null) ... L141: var paths = __require("path"); L142: var isWinOS = /^win/i.test(process.platform); L143: function normalize_path(path2) { ... L188: const object = {}; L189: object.cache = () => process.env.XDG_CACHE_HOME || path2.join(osPaths.home() || osPaths.temp(), ".cache"); L190: object.config = () => process.env.XDG_CONFIG_HOME || path2.join(osPaths.home() || osPaths.temp(), ".config");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L2
dist/chunks/chunk-TLHKETA6.jsView file
path = dist/chunks/chunk-TLHKETA6.js kind = oversized_source_file sizeBytes = 2492451 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/chunks/chunk-TLHKETA6.jsView on unpkg
dist/chunks/chunk-W346YNDN.jsView file
matchType = previous_version_dangerous_delta matchedPackage = vercel@55.0.0 matchedIdentity = npm:dmVyY2Vs:55.0.0 similarity = 0.908 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/chunks/chunk-W346YNDN.jsView on unpkg

Findings

3 Critical6 High6 Medium8 Low
CriticalCredential Exfiltrationdist/commands-bulk.js
CriticalTrigger Reachable Dangerous Capabilitydist/commands-bulk.js
CriticalPrevious Version Dangerous Deltadist/chunks/chunk-W346YNDN.js
HighChild Processdist/vc.js
HighShelldist/commands-bulk.js
HighSame File Env Network Executiondist/commands-bulk.js
HighSandbox Evasion Gated Capabilitydist/commands-bulk.js
HighCross File Remote Execution Contextdist/index.js
HighOversized Source Filedist/chunks/chunk-TLHKETA6.js
MediumDynamic Requiredist/get-latest-worker.cjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/commands-bulk.js
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/commands-bulk.js
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings