AgentReadyHomeAgent Listing

← Vercel deploy-to-vercel

Vercel deploy-to-vercel — agentic threat model

9.4AIVSS 9.4 · Critical

The Vercel deploy-to-vercel agent poses high operational risk due to its ability to execute CLI commands and deploy code directly to production using the user's credentials, making it a high-value target for prompt injection and supply chain attacks.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.8AARS uplift 0.55Factor sum 4.2/10Threat ×1.1Mitigation ×1.0
Autonomy of Action
0.80
Goal-Driven Planning
0.30
Self-Modification
0.00
Dynamic Tool Use
0.80
Persistent Memory
0.10
Contextual Awareness
0.50
Dynamic Identity
0.90
Multi-Agent Interactions
0.10
Non-Determinism
0.40
Opacity & Reflexivity
0.30

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the specific foundation model parsing the natural language trigger is not disclosed. Threat: Prompt injection could trick the model into triggering unauthorized deployments or altering deployment parameters.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — the mechanism for handling project files, build artifacts, and environment variables is not detailed. Threat: Exposure or leakage of sensitive environment variables during the data ingestion phase.

L3 · Agent Frameworks✓ mapped

The agent framework orchestrates Vercel CLI execution based on user prompts. Threat: Insecure tool integration where malicious inputs manipulate CLI arguments, leading to unauthorized code execution or deployment of arbitrary branches.

L4 · Deployment & Infrastructure✓ mapped

The agent runs the Vercel CLI to perform real deployment actions. Threat: If the execution environment hosting the CLI is not strictly sandboxed, a malicious build script could lead to container escape, host compromise, or lateral movement.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there is no mention of logging, guardrails, or deployment verification mechanisms beyond returning the live URL. Threat: Lack of observability could allow unauthorized or malicious deployments to go undetected.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent authenticates and takes real actions against the user's Vercel account. Threat: Insufficiently scoped API tokens or insecure credential storage could lead to full account takeover or unauthorized production modifications.

L7 · Agent Ecosystem⚠ not certain from listing

Not certain from the listing — the interaction model with other marketplace agents is not defined. Threat: A compromised upstream agent in a multi-agent workflow could maliciously trigger this deployment skill to push backdoored code.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).