DeepWiki MCP
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: deepwiki-mcp Version: 1.0.0 The skill is designed to query an external AI service (mcp.deepwiki.com) using `curl` and `python3` for JSON parsing, as described in `SKILL.md` and implemented in `scripts/deepwiki.sh`. While it utilizes the `exec` tool and powerful system commands, the `deepwiki.sh` script correctly sanitizes user-provided inputs (repoName, question) using `json.dumps` before embedding them into the `curl` command's JSON payload, mitigating shell injection risks. There is no evidence of intentional malicious behavior, data exfiltration, persistence mechanisms, or prompt injection attempts against the agent in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run a local shell helper that performs a network request when answering repository-source questions.
The skill intentionally uses local command execution to run a helper script. This is disclosed and central to the DeepWiki query workflow, but users should know the agent can run the script.
The skill uses: - `exec` tool to run the helper script (bash + curl + python3)
Use it for intended public-repository questions, and review the bundled script before installing if local command execution is a concern.
DeepWiki can receive the repository name and question text; generated answers from the service may also be stale or imperfect.
The helper sends JSON-RPC requests to an external MCP endpoint. The shown code sends the selected repository and, for ask requests, the user's question.
DEEPWIKI_URL="https://mcp.deepwiki.com/mcp" ... curl -s -X POST "$DEEPWIKI_URL"
Do not include secrets, private repository details, or sensitive internal context in DeepWiki questions, and verify important answers against source when needed.
Users have less provenance information for deciding whether to trust the bundled helper and service instructions.
The registry metadata does not provide an upstream source or homepage, and the install mechanism is manual. The bundled script is included for review, so this is a provenance note rather than a behavioral concern.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included files before installation and prefer a verified source or homepage when available.