qa-gate-vercel

Validates pre-production deployments for Vercel/Supabase/Firebase by generating test plans and executing comprehensive validation checks.

Install this skill

or

0/100

Security score

The qa-gate-vercel skill was audited on Mar 3, 2026 and we found 51 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

high line 446

Direct command execution function call

SourceSKILL.md

446	const match = pattern.exec(output.content);

medium line 135

Template literal with variable interpolation in command context

SourceSKILL.md

135	const res = await fetch(`${BASE_URL}/api/entities`, {

medium line 136

Template literal with variable interpolation in command context

SourceSKILL.md

136	headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` },

medium line 142

Template literal with variable interpolation in command context

SourceSKILL.md

142	const res = await fetch(`${BASE_URL}/api/entities`);

medium line 148

Template literal with variable interpolation in command context

SourceSKILL.md

148	const res = await fetch(`${BASE_URL}/api/entities`, {

medium line 149

Template literal with variable interpolation in command context

SourceSKILL.md

149	headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` },

medium line 162

Template literal with variable interpolation in command context

SourceSKILL.md

162	const res = await fetch(`${BASE_URL}/api/entities`, {

medium line 165

Template literal with variable interpolation in command context

SourceSKILL.md

165	Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}`,

medium line 177

Template literal with variable interpolation in command context

SourceSKILL.md

177	const res = await fetch(`${BASE_URL}/api/entities`, {

medium line 179

Template literal with variable interpolation in command context

SourceSKILL.md

179	headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` },

medium line 403

Template literal with variable interpolation in command context

SourceSKILL.md

403	details: `Content length: ${output.content.length}, minimum: ${config.minLength}`,

medium line 410

Template literal with variable interpolation in command context

SourceSKILL.md

410	details: `Content length: ${output.content.length}, maximum: ${config.maxLength}`,

medium line 419

Template literal with variable interpolation in command context

SourceSKILL.md

419	details: `Tokens used: ${output.tokens_used}, budget: ${config.maxTokens}`,

medium line 428

Template literal with variable interpolation in command context

SourceSKILL.md

428	details: `Latency: ${output.latency_ms}ms, max: ${config.maxLatencyMs}ms`,

medium line 436

Template literal with variable interpolation in command context

SourceSKILL.md

436	rule: `required_section:${section}`,

medium line 438

Template literal with variable interpolation in command context

SourceSKILL.md

438	details: `Section "${section}" ${output.content.toLowerCase().includes(section.toLowerCase()) ? "found" : "missing"}`,

medium line 448

Template literal with variable interpolation in command context

SourceSKILL.md

448	rule: `forbidden_pattern:${pattern.source}`,

medium line 450

Template literal with variable interpolation in command context

SourceSKILL.md

450	details: match ? `Found forbidden pattern: "${match[0]}"` : "No forbidden patterns found",

medium line 512

Template literal with variable interpolation in command context

SourceSKILL.md

512	const judgingPrompt = `You are a strict QA evaluator. Assess the following LLM output against the original prompt.

medium line 544

Template literal with variable interpolation in command context

SourceSKILL.md

544	Authorization: `Bearer ${OPENROUTER_API_KEY}`,

medium line 571

Template literal with variable interpolation in command context

SourceSKILL.md

571	const res = await fetch(`${BASE_URL}/api/generate`, {

medium line 573

Template literal with variable interpolation in command context

SourceSKILL.md

573	headers: { "Content-Type": "application/json", Authorization: `Bearer ${TOKEN}` },

medium line 615

Template literal with variable interpolation in command context

SourceSKILL.md

615	headers: { Authorization: `Bearer ${process.env.VERCEL_TOKEN}` },

medium line 638

Template literal with variable interpolation in command context

SourceSKILL.md

638	const res = await fetch(`${process.env.SUPABASE_URL}/rest/v1/`, {

medium line 641

Template literal with variable interpolation in command context

SourceSKILL.md

641	Authorization: `Bearer ${process.env.SUPABASE_ANON_KEY}`,

medium line 648

Template literal with variable interpolation in command context

SourceSKILL.md

648	const res = await fetch(`${process.env.SUPABASE_URL}/auth/v1/health`);

low line 541

Fetch to external URL

SourceSKILL.md

541	const response = await fetch("https://openrouter.ai/api/v1/chat/completions", {

low line 614

Fetch to external URL

SourceSKILL.md

614	const res = await fetch("https://api.vercel.com/v6/deployments?limit=1", {

medium line 11

Access to .env file

SourceSKILL.md

11	You are a senior QA architect responsible for the final validation gate before production deployment. You do NOT write individual unit tests (that is test-sentinel's job). Instead, you orchestrate a c

medium line 15

Access to .env file

SourceSKILL.md

15	`OPENROUTER_API_KEY` is used in generated validation scripts to run LLM-as-judge evaluations on content quality. `SUPABASE_URL` and `SUPABASE_ANON_KEY` are referenced in generated API validation scrip

low line 130

Access to .env file

SourceSKILL.md

130	const BASE_URL = process.env.VALIDATION_BASE_URL \|\| "http://localhost:3000";

low line 136

Access to .env file

SourceSKILL.md

136	headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` },

low line 149

Access to .env file

SourceSKILL.md

149	headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` },

low line 165

Access to .env file

SourceSKILL.md

165	Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}`,

low line 179

Access to .env file

SourceSKILL.md

179	headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` },

low line 228

Access to .env file

SourceSKILL.md

228	await page.fill('[name="email"]', process.env.TEST_USER_EMAIL!);

low line 229

Access to .env file

SourceSKILL.md

229	await page.fill('[name="password"]', process.env.TEST_USER_PASSWORD!);

low line 332

Access to .env file

SourceSKILL.md

332	await page.fill('[name="email"]', process.env.TEST_USER_EMAIL!);

low line 333

Access to .env file

SourceSKILL.md

333	await page.fill('[name="password"]', process.env.TEST_USER_PASSWORD!);

low line 502

Access to .env file

SourceSKILL.md

502	const OPENROUTER_API_KEY = process.env.OPENROUTER_API_KEY;

low line 615

Access to .env file

SourceSKILL.md

615	headers: { Authorization: `Bearer ${process.env.VERCEL_TOKEN}` },

low line 638

Access to .env file

SourceSKILL.md

638	const res = await fetch(`${process.env.SUPABASE_URL}/rest/v1/`, {

low line 640

Access to .env file

SourceSKILL.md

640	apikey: process.env.SUPABASE_ANON_KEY!,

low line 641

Access to .env file

SourceSKILL.md

641	Authorization: `Bearer ${process.env.SUPABASE_ANON_KEY}`,

low line 648

Access to .env file

SourceSKILL.md

648	const res = await fetch(`${process.env.SUPABASE_URL}/auth/v1/health`);

medium line 832

Access to .env file

SourceSKILL.md

832	- NEVER hardcode auth tokens in test files — always use process.env

medium line 841

Access to .env file

SourceSKILL.md

841	- NEVER read or modify `.env`, `.env.local`, or any credential file directly

medium line 842

Access to .env file

SourceSKILL.md

842	- All env var references are in generated test code via `process.env.*`

low line 130

External URL reference

SourceSKILL.md

130	const BASE_URL = process.env.VALIDATION_BASE_URL \|\| "http://localhost:3000";

low line 541

External URL reference

SourceSKILL.md

541	const response = await fetch("https://openrouter.ai/api/v1/chat/completions", {

low line 614

External URL reference

SourceSKILL.md

614	const res = await fetch("https://api.vercel.com/v6/deployments?limit=1", {

Scanned on Mar 3, 2026

View Security Dashboard

Installation guide →

GitHub Stars 2.2K

Rate this skill

Categorydevelopment

UpdatedApril 4, 2026

openclaw testing api backend qa-engineer devops-sre backend-developer vercel supabase firebase development

openclaw/skills