ClawHub

DeepSeek Chat

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The DeepSeek chat script is mostly purpose-aligned, but the package ships a real-looking API key and does not declare the required credential.

Review this skill before installing. Do not use the bundled config.env key; configure your own DeepSeek API key through a secret mechanism, and remember that prompts you send will go to DeepSeek's API.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI03: Identity and Privilege Abuse
Medium
What this means

Users could unknowingly rely on a bundled or exposed API credential, and the key owner could face unauthorized usage or billing if the key is valid.

Why it was flagged

The package contains an apparent DeepSeek API credential rather than only a placeholder. This is also inconsistent with the registry metadata saying there is no primary credential and no required env var.

Skill content
DEEPSEEK_API_KEY=sk-058c4513...
Recommendation

Remove the bundled key, revoke it if it is real, and declare DEEPSEEK_API_KEY as a required user-provided secret instead of packaging it.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

The skill may fail to run or be harder to review accurately because its declared requirements do not match its code.

Why it was flagged

The actual script requires Node.js, while the metadata only declares curl as a required binary. This is an incomplete runtime declaration rather than evidence of malicious behavior.

Skill content
#!/usr/bin/env node
Recommendation

Update the metadata to declare Node.js and remove the unnecessary curl requirement if curl is not used.

#ASI09: Human-Agent Trust Exploitation
Low
What this means

Users may expect file or web-search handling that is not actually implemented or scoped in the provided artifacts.

Why it was flagged

The included code only sends a text prompt to the DeepSeek chat completion endpoint and does not implement file handling or web search, so the description appears to overstate available capabilities.

Skill content
支持中文对话、文件处理、联网搜索。
Recommendation

Either remove those claims or add clearly scoped implementations and documentation for file and search behavior.