DeepWiki MCP
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run a local shell helper that performs a network request when answering repository-source questions.
The skill intentionally uses local command execution to run a helper script. This is disclosed and central to the DeepWiki query workflow, but users should know the agent can run the script.
The skill uses: - `exec` tool to run the helper script (bash + curl + python3)
Use it for intended public-repository questions, and review the bundled script before installing if local command execution is a concern.
DeepWiki can receive the repository name and question text; generated answers from the service may also be stale or imperfect.
The helper sends JSON-RPC requests to an external MCP endpoint. The shown code sends the selected repository and, for ask requests, the user's question.
DEEPWIKI_URL="https://mcp.deepwiki.com/mcp" ... curl -s -X POST "$DEEPWIKI_URL"
Do not include secrets, private repository details, or sensitive internal context in DeepWiki questions, and verify important answers against source when needed.
Users have less provenance information for deciding whether to trust the bundled helper and service instructions.
The registry metadata does not provide an upstream source or homepage, and the install mechanism is manual. The bundled script is included for review, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included files before installation and prefer a verified source or homepage when available.