Skillv1.0.0

ClawScan security

DeepSeep Intergration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

SuspiciousFeb 21, 2026, 4:27 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill claims to integrate with a DeepSeek API but the code is a placeholder and the docs ask for an API key that the manifest/code don't actually require—this inconsistency warrants caution.
Guidance: This package appears incomplete and inconsistent rather than actively malicious. Before installing or providing secrets: (1) ask the author for a clear implementation timeline or source of the DeepSeek API calls; (2) do not set or share DEEPSEEK_API_KEY with this skill until the code actually uses it and you can verify the endpoint; (3) review any future code changes to ensure network calls go to an expected, documented DeepSeek endpoint (not a third-party URL); and (4) prefer testing in a sandboxed environment. If you need a working DeepSeek integration now, request an update that shows concrete network logic and a declared required env var in the manifest.

Purpose & Capability: concernThe skill's name/description claim a DeepSeek API integration, but the included tool implementation is a stub that does not call any network endpoint or use an API key. SKILL.md asks users to set DEEPSEEK_API_KEY, yet the skill manifest lists no required env vars and the code never reads any environment variables—this is an incoherent/unfinished implementation.
Instruction Scope: noteSKILL.md gives high-level usage (code generation, analysis) and instructs setting DEEPSEEK_API_KEY, but provides no concrete runtime instructions or endpoints. The instructions are vague and grant the agent broad discretion to 'use' DeepSeek without defined calls. Currently the runtime instructions do not match the actual tool behavior (the tool merely echoes prompts).
Install Mechanism: okNo install spec is provided and the skill is instruction+small node tool only. Nothing will be downloaded or extracted during install, which keeps install risk low.
Credentials: concernSKILL.md requests DEEPSEEK_API_KEY, but requires.env is empty and the JS tool does not read any credentials. Requiring an API key in docs without declaring it or using it in code is inconsistent and could mislead users into providing secrets unnecessarily.
Persistence & Privilege: okThe skill does not request always:true and contains no code to modify other skills or system configuration. It appears to have standard, limited privilege if installed.