byoa-deploy-vercel
Facilitates the deployment of BYOA wake-receiver functions on Vercel, managing environment variables and health checks seamlessly.
Install this skill
Security score
The byoa-deploy-vercel skill was audited on Jun 1, 2026 and we found 36 security issues across 5 threat categories, including 8 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 68 | ```bash |
Template literal with variable interpolation in command context
| 134 | First resolve the LLM-provider API key name + value from `TASK_LLM_PROVIDER` in one shot (resolving both here avoids `${!VAR}` indirect expansion, which works in bash but not zsh — and zsh is the defa |
Template literal with variable interpolation in command context
| 194 | # Use `cut`, not awk's positional-field operator — the loader rewrites literal |
Template literal with variable interpolation in command context
| 216 | ```bash |
Template literal with variable interpolation in command context
| 232 | ```bash |
Template literal with variable interpolation in command context
| 257 | ```bash |
Template literal with variable interpolation in command context
| 277 | ```bash |
Template literal with variable interpolation in command context
| 298 | ```bash |
Template literal with variable interpolation in command context
| 318 | - Canonical alias (`${ALIAS_URL}`) — what's registered as `source_url` |
Template literal with variable interpolation in command context
| 319 | - Per-deploy URL (`${DEPLOY_URL}`) — for `vercel inspect` / dashboard only; SSO-gated |
Template literal with variable interpolation in command context
| 320 | - Wake endpoint (`${ALIAS_URL}/api/wake`) |
Template literal with variable interpolation in command context
| 323 | - Next step: start a task on the ship from the bot. Tail Vercel logs with `npx vercel logs ${ALIAS_URL}` and watch for the first wake — the initial clone + `uv sync` takes 30–60s on cold sandbox. |
Ngrok tunnel reference
| 35 | **Game tool calls route through the bus, not direct HTTP.** The BYOA harness running in the Vercel sandbox never calls the game server directly — it publishes `BusGameToolCallRequest` messages onto th |
Access to .env file
| 3 | description: Deploy the BYOA wake-receiver Vercel Function from `deployment/vercel/`. Reads `.env.byoa`, pushes the operator's required env to the Vercel project, deploys via `npx vercel`, health-chec |
Access to .env file
| 10 | Picks up where `/byoa-link` finishes. The operator's ship is already claimed as BYOA, `.env.byoa` is populated with `BYOA_CHARACTER_ID` / `BYOA_SHIP_ID` / `BYOA_WAKE_SECRET`, and the per-ship wake sec |
Access to .env file
| 22 | - `local` → sources `SUPABASE_URL` from `.env.supabase` (e.g. `http://127.0.0.1:54321` when `npx supabase start` is running) |
Access to .env file
| 35 | **Game tool calls route through the bus, not direct HTTP.** The BYOA harness running in the Vercel sandbox never calls the game server directly — it publishes `BusGameToolCallRequest` messages onto th |
Access to .env file
| 41 | - `.env.byoa` does not exist in cwd → direct the operator to run `/byoa-link` first. |
Access to .env file
| 42 | - `.env.byoa` is missing any required key: `BYOA_WAKE_SECRET`, `BYOA_SHIP_ID`, `BYOA_CHARACTER_ID`, `TASK_LLM_PROVIDER`, `TASK_LLM_MODEL`, and the API key matching the provider (one of `ANTHROPIC_API_ |
Access to .env file
| 45 | - For `env=local`: `.env.supabase` is missing or `SUPABASE_URL` is unset inside it. |
Access to .env file
| 63 | set -a && source .env.byoa && set +a |
Access to .env file
| 71 | local) set -a && source .env.supabase && set +a ;; |
Access to .env file
| 130 | Push the values from `.env.byoa` to the **production** Vercel environment only. The wake function is invoked through the production alias (`<projectName>.vercel.app`) and preview/development environme |
Access to .env file
| 132 | All `vercel` invocations use `--cwd deployment/vercel` instead of `cd deployment/vercel && ...` — that way the snippet runs the same whether or not the caller wraps it in a subshell, and accidental cw |
Access to .env file
| 328 | - **Missing `.env.byoa`**: run `/byoa-link` first. |
Prompting for password/secret input
| 28 | - **--access-token <jwt>**: skip the email+password prompt in step 8 by reusing an existing user JWT (e.g. one just minted by `/byoa-link`). Token must be valid for the same operator who owns the ship |
Prompting for API key/token input
| 28 | - **--access-token <jwt>**: skip the email+password prompt in step 8 by reusing an existing user JWT (e.g. one just minted by `/byoa-link`). Token must be valid for the same operator who owns the ship |
External URL reference
| 12 | End state: a Vercel deployment at `https://<their-project>.vercel.app/api/wake` that auths inbound wakes against `BYOA_WAKE_SECRET` and spawns a persistent `@vercel/sandbox` running `uv run byoa` per |
External URL reference
| 21 | - `prod` / `live` → `https://api.gradient-bang.com` (hardcoded; operator never types it; no env file needed). If the operator types nothing, this is what they get. |
External URL reference
| 22 | - `local` → sources `SUPABASE_URL` from `.env.supabase` (e.g. `http://127.0.0.1:54321` when `npx supabase start` is running) |
External URL reference
| 70 | prod|live) SUPABASE_URL=https://api.gradient-bang.com ;; |
External URL reference
| 74 | # SUPABASE_URL now points at api.gradient-bang.com (prod/live) or http://127.0.0.1:54321 (local) |
External URL reference
| 191 | DEPLOY_URL=$(grep -oE 'https://[a-z0-9-]+\.vercel\.app' /tmp/byoa-deploy.log | head -1) |
External URL reference
| 197 | ALIAS_URL=$(grep -oE 'Aliased: https://[^ ]+' /tmp/byoa-deploy.log | head -1 | cut -d' ' -f2) |
External URL reference
| 202 | ALIAS_URL="https://${PROJECT_NAME}.vercel.app" |
External URL reference
| 335 | - **`Aliased:` line missing from `vercel deploy` output**: happens on preview deploys (no automatic alias) and on first-ever production deploy for some projects. The step-5 snippet falls back to const |