ClawHub

DeepWiki MCP

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a disclosed DeepWiki query helper that sends repository questions to an external service, with no evidence of hidden persistence, credential theft, destructive behavior, or unrelated data access.

Install this only if you are comfortable sending repository names and your questions to DeepWiki's external service. Avoid including secrets, private code, internal system details, customer data, or confidential repo names in prompts, and prefer explicit invocation when you intend to use DeepWiki.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly instructs use of an exec-capable helper script and shell commands, but the metadata does not declare corresponding permissions or capabilities. This creates a transparency and policy-enforcement gap: users or orchestration systems may not realize the skill can execute shell commands and initiate outbound network activity.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger language is broad enough to activate on many ordinary repository-related questions, which can cause the skill to run unexpectedly and send prompts to an external service. In this skill's context, that increases the chance of unnecessary off-box disclosure of user queries and can override user expectations about when third-party network access occurs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explains that the helper script posts user questions and repository identifiers to https://mcp.deepwiki.com, but it does not clearly warn that this data leaves the local environment. In a code-assistance context, users may include sensitive repository names, internal assumptions, or proprietary snippets in queries, creating an avoidable data exposure risk to a third-party service.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Several triggers such as 'check the source', 'repo architecture', and 'codebase question' are broad enough to match ordinary requests outside the user's intent to use this third-party service. Over-broad activation can cause unintended routing of prompts and unnecessary transmission of repository names or questions to an external endpoint.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs the agent to send repository identifiers and natural-language questions to DeepWiki's external MCP endpoint but does not clearly warn users that their queries leave the local environment. This can expose sensitive internal repo names, proprietary architecture questions, or other confidential context if the skill is triggered inappropriately.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script sends the repository name and the user's free-form question to an external DeepWiki MCP endpoint without any inline warning, confirmation, or data-sensitivity check. In a skill context, users may ask about private code fragments, internal architecture, secrets, or unpublished details, causing unintended disclosure to a third-party service.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases and regex patterns are broad enough to match many ordinary repository or source-code questions, which can cause this skill to activate unexpectedly. Because the skill requires exec and external tooling, over-triggering increases the chance of unnecessary command execution or unreviewed data retrieval in contexts where the user did not explicitly intend to invoke DeepWiki.

External Transmission

Medium
Category
Data Exfiltration
Content
- Use `topics` to find relevant documentation sections
- Use `docs` for broader context (but note: output can be very large)

## Direct curl (fallback)

If the helper script is unavailable:
Confidence
89% confidence
Finding
curl (fallback) If the helper script is unavailable: ```bash curl -s -X POST https://mcp.deepwiki.com/mcp \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream"

External Transmission

Medium
Category
Data Exfiltration
Content
call_mcp() {
  local tool="$1"
  local args_json="$2"
  curl -s -X POST "$DEEPWIKI_URL" \
    -H "Content-Type: application/json" \
    -H "Accept: application/json, text/event-stream" \
    -d "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"$tool\",\"arguments\":$args_json}}" \
Confidence
96% confidence
Finding
curl -s -X POST "$DEEPWIKI_URL" \ -H "Content-Type: application/json" \ -H "Accept: application/json, text/event-stream" \ -d

Shadow Command Trigger

Medium
Category
Trigger Abuse
Confidence
72% confidence
Finding
The trigger phrase 'ask deepwiki' overlaps with the generic action word 'ask', increasing the chance of accidental invocation or parser ambiguity with built-in commands. While not directly enabling code execution, trigger confusion can route user requests unexpectedly into a skill that performs external network calls.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal