registry  /  vercel  /  54.18.7

vercel@54.18.7

The command-line interface for Vercel

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface. Dangerous-looking primitives are part of a user-invoked Vercel CLI for deploys, telemetry, update checks, MCP setup, and skills search/install prompts.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs vercel/vc CLI commands
Impact
No unconsented install-time execution, credential harvesting, exfiltration, persistence, or agent control hijack found
Mechanism
package-aligned CLI operations with explicit user actions
Rationale
Static source inspection shows an official Vercel CLI with no lifecycle hooks and no import-time malicious behavior. Agent/MCP/skills capabilities are user-invoked and guarded, while token/env/network use is aligned with Vercel CLI functionality.
Evidence
package.jsondist/vc.jsdist/index.jsdist/commands-bulk.jsdist/get-latest-worker.cjs
Network endpoints5
api.vercel.commcp.vercel.comtelemetry.vercel.com/api/vercel-cli/v1/eventsregistry.npmjs.org/-/package/${name}/dist-tagsskills.sh/api/search

Decision evidence

public snapshot
AI called this Clean at 94.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall lifecycle hooks; only bin vc/vercel -> dist/vc.js.
    • dist/vc.js only enables compile cache, handles help/version, then imports dist/index.js on CLI invocation.
    • dist/commands-bulk.js agent init writes AGENTS.md/CLAUDE.md only via explicit command with TTY confirmation or --yes.
    • dist/commands-bulk.js mcp setup is explicit CLI flow using deep links/manual setup for Vercel MCP, not lifecycle mutation.
    • Network endpoints are package-aligned: api.vercel.com, mcp.vercel.com, telemetry.vercel.com, registry.npmjs.org, skills.sh.
    • dist/get-latest-worker.cjs only fetches npm dist-tags and writes update cache/lock files.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
    Supply chain
    HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 107 file(s), 6.99 MB of source, external domains: 127.0.0.1, ai-gateway.vercel.sh, api.example.com, api.vercel.com, app.example.com, backend.internal, bitbucket.org, codeload.github.com, cursor.sh, dogs.are.great, err.sh, example.com, example.vercel.app, examples.vercel.sh, feross.org, fetch.spec.whatwg.org, gist.githubusercontent.com, github.com, gitlab.com, internal.example.com, mcp.vercel.com, mimesniff.spec.whatwg.org, mozilla.github.io, my-app-xxxxx.vercel.app, new-api.example.com, now.sh, openapi-internal.vercel.sh, openapi.vercel.sh, raw.githubusercontent.com, registry.npmjs.org, sites.google.com, stackoverflow.com, telemetry.vercel.com, tools.ietf.org, vercel.com, vercel.link, w3c.github.io, websockets.spec.whatwg.org, www.example.com, www.w3.org, your-project-abc123.vercel.app
    Oversized source lightweight scan
    dist/chunks/chunk-RB7WQKNC.js2.37 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsEvalShellDynamicRequireHighEntropyStringsUrlStringsbitbucket.orgfeross.orggithub.comgitlab.comstackoverflow.comtools.ietf.orgvercel.comvercel.linkwww.w3.org

    Source & flagged code

    10 flagged · loading source
    dist/index.jsView file
    461import { dirname, parse as parsePath, resolve as resolvePath } from "path"; L462: import { spawn } from "child_process"; L463: var import_fetch_dist_tags = __toESM(require_fetch_dist_tags(), 1);
    High
    Child Process

    Package source references child process execution.

    dist/index.jsView on unpkg · L461
    2Cross-file remote execution chain: dist/index.js spawns dist/chunks/chunk-OX7KI3LF.js; helper contains network access plus dynamic code execution. L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L115: if (stream == null) L116: stream = process.stdout; L117: if (callback == null) ... L138: var paths = __require("path"); L139: var isWinOS = /^win/i.test(process.platform); L140: function normalize_path(path2) { ... L185: const object = {}; L186: object.cache = () => process.env.XDG_CACHE_HOME || path2.join(osPaths.home() || osPaths.temp(), ".cache"); L187: object.config = () => process.env.XDG_CONFIG_HOME || path2.join(osPaths.home() || osPaths.temp(), ".config");
    High
    Cross File Remote Execution Context

    Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

    dist/index.jsView on unpkg · L2
    dist/commands-bulk.jsView file
    2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L445: import { L446: require_execa L447: } from "./chunks/chunk-24FCBXI4.js"; ... L673: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L674: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L675: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L764: telemetry2.trackCliFlagHelp("agent"); L765: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L766: return 2;
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/commands-bulk.jsView on unpkg · L2
    2Trigger-reachable chain: manifest.bin -> dist/vc.js -> dist/index.js -> dist/commands-bulk.js L2: import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L445: import { L446: require_execa L447: } from "./chunks/chunk-24FCBXI4.js"; ... L673: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L674: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L675: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L764: telemetry2.trackCliFlagHelp("agent"); L765: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L766: return 2;
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/commands-bulk.jsView on unpkg · L2
    445import { L446: require_execa L447: } from "./chunks/chunk-24FCBXI4.js";
    High
    Shell

    Package source references shell execution.

    dist/commands-bulk.jsView on unpkg · L445
    3220); L3221: const testUrl = `https://${deployment.url}${subpath}`; L3222: output_manager_default.log(`${import_chalk14.default.bold("Deployment URL:")} ${link_default(testUrl)}`); ... L3231: if (run3) { L3232: const proc = await (0, import_execa.default)(run3, [testUrl], { L3233: stdio: "inherit", ... L3235: env: { L3236: ...process.env, L3237: HOST: deployment.url,
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/commands-bulk.jsView on unpkg · L3220
    2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L445: import { L446: require_execa L447: } from "./chunks/chunk-24FCBXI4.js"; ... L673: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L674: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L675: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L764: telemetry2.trackCliFlagHelp("agent"); L765: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L766: return 2;
    High
    Sandbox Evasion Gated Capability

    Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

    dist/commands-bulk.jsView on unpkg · L2
    2import { fileURLToPath as __fileURLToPath } from 'node:url'; L3: import { dirname as __dirname_ } from 'node:path'; L4: const require = __createRequire(import.meta.url); ... L445: import { L446: require_execa L447: } from "./chunks/chunk-24FCBXI4.js"; ... L673: - Use AI Gateway for model routing, set AI_GATEWAY_API_KEY, using a model string (e.g. 'anthropic/claude-sonnet-4.6'), Gateway is already default in AI SDK L674: needed. Always curl https://ai-gateway.vercel.sh/v1/models first; never trust model IDs from memory L675: - For durable agent loops or untrusted code: use Workflow (pause/resume/state) + Sandbox; use Vercel MCP for secure infra access`; ... L764: telemetry2.trackCliFlagHelp("agent"); L765: output_manager_default.print(help(agentCommand, { columns: client.stderr.columns })); L766: return 2;
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/commands-bulk.jsView on unpkg · L2
    dist/get-latest-worker.cjsView file
    16L17: const { mkdirSync, writeFileSync } = require('fs'); L18: const { access, mkdir, readFile, unlink, writeFile } = require('fs/promises');
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/get-latest-worker.cjsView on unpkg · L16
    dist/chunks/chunk-RB7WQKNC.jsView file
    path = dist/chunks/chunk-RB7WQKNC.js kind = oversized_source_file sizeBytes = 2484789 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/chunks/chunk-RB7WQKNC.jsView on unpkg

    Findings

    2 Critical6 High5 Medium8 Low
    CriticalCredential Exfiltrationdist/commands-bulk.js
    CriticalTrigger Reachable Dangerous Capabilitydist/commands-bulk.js
    HighChild Processdist/index.js
    HighShelldist/commands-bulk.js
    HighSame File Env Network Executiondist/commands-bulk.js
    HighSandbox Evasion Gated Capabilitydist/commands-bulk.js
    HighCross File Remote Execution Contextdist/index.js
    HighOversized Source Filedist/chunks/chunk-RB7WQKNC.js
    MediumDynamic Requiredist/get-latest-worker.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumProtestware
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEval
    LowWeak Cryptodist/commands-bulk.js
    LowFilesystem
    LowObfuscated
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings