AgentReadyHomeAgent Listing

← Vercel vercel-cli-with-tokens

Vercel vercel-cli-with-tokens — agentic threat model

9.3AIVSS 9.3 · Critical

This agent skill exposes high-privilege Vercel CLI commands and access tokens to an LLM, creating a high-risk vector for unauthorized deployments, infrastructure manipulation, and credential exfiltration if the agent is manipulated.

OWASP AIVSS score rationale

AIVSS = (CVSS_Base + AARS) × Mitigation_Factor, where AARS = (10 − CVSS_Base) × (Factor_Sum / 10) × ThM
CVSS base 8.5AARS uplift 0.79Factor sum 5.0/10Threat ×1.05Mitigation ×1.0
Autonomy of Action
0.70
Goal-Driven Planning
0.40
Self-Modification
0.10
Dynamic Tool Use
0.80
Persistent Memory
0.20
Contextual Awareness
0.50
Dynamic Identity
0.90
Multi-Agent Interactions
0.30
Non-Determinism
0.60
Opacity & Reflexivity
0.50

Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.

MAESTRO 7-layer threat model

Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.

L1 · Foundation Models⚠ not certain from listing

Not certain from the listing — the underlying foundation model is not specified. However, any model used is vulnerable to prompt injection attacks that could trick the agent into executing arbitrary Vercel CLI commands or leaking the active Vercel token.

L2 · Data Operations⚠ not certain from listing

Not certain from the listing — there is no explicit mention of RAG or vector databases. The primary data risk is the exposure of Vercel access tokens and project configuration files within the agent's context window.

L3 · Agent Frameworks✓ mapped

The agent framework integrates directly with the Vercel CLI tool. The primary threat is insecure tool integration and tool misuse, where malicious or malformed inputs are passed directly to CLI execution blocks, potentially leading to command injection.

L4 · Deployment & Infrastructure✓ mapped

The agent executes CLI commands using a token for non-interactive authentication. If the execution environment is not strictly sandboxed, a compromised agent could leverage the CLI or local shell access to escalate privileges or exfiltrate the Vercel token from memory/disk.

L5 · Evaluation & Observability⚠ not certain from listing

Not certain from the listing — there are no mentioned logging, auditing, or guardrail mechanisms to monitor CLI commands before execution or to detect anomalous deployment behavior.

L6 · Security & Compliance (cross-cutting)✓ mapped

The agent handles highly sensitive credential surfaces (Vercel access tokens). There is a lack of visible identity and access management controls to restrict which users can trigger high-impact CLI commands (like project deletion or production deploys).

L7 · Agent Ecosystem✓ mapped

As an 'Agent Skill' designed to be integrated into broader agentic workflows, this tool introduces cascading risks. If a parent agent or a coordinating multi-agent system is compromised, this skill can be abused to deploy malicious code to production environments.

MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).