ClawHub
Back to skill

Security audit

DeepSeek Bridge · DeepSeek API 桥接

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it claims, but it can automatically route broad user requests to DeepSeek and store full questions and answers locally in plaintext.

Review before installing. Use your own DeepSeek API key, remove or narrow the broad trigger phrase, and do not submit secrets, personal data, or confidential business content unless you are comfortable with it being sent to DeepSeek and stored in a local SQLite database.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents environment-variable and network-dependent behavior, but no permissions metadata is declared. That creates a transparency and policy-enforcement gap: hosts or users may not realize the skill can access credentials and make outbound requests, increasing the chance of unintended data disclosure or unauthorized network use.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation is internally inconsistent: it says the API key is required via environment variable, but later states a built-in key is used by default. A built-in credential is a serious secret-management risk because it may be hardcoded, shared across installations, and exposed to unauthorized users or abuse of the upstream API account.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The module documentation says this is a lightweight HTTP bridge, but the implementation also persists both questions and answers to a shared database. That mismatch can mislead deployers and users about data handling, increasing the risk that sensitive prompts are collected or retained without informed approval.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad everyday wording such as asking to 'ask this,' which can activate the skill unintentionally. In this skill's context, accidental activation can cause unexpected network transmission, background process startup, and persistence of user content to SQLite, making the overbroad triggers more than a mere usability issue.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that every question and answer is stored persistently in a shared SQLite database, but it does not provide a clear user-facing privacy warning or consent model. This creates a data retention and local disclosure risk, especially if prompts contain sensitive personal, business, or credential material.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notes describe automatic startup of a local bridge process and use of an API key, but do not clearly warn that user content will be transmitted over the network to DeepSeek or that a background service may be launched. Lack of disclosure undermines informed consent and can lead to unexpected external sharing of sensitive prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User-supplied question content is stored in a shared database before any answer is returned, with no notice or consent mechanism in the code path. If users submit secrets, personal data, or proprietary content, this creates a privacy and data-governance risk because the information is retained in another system.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends user question content to an external third-party API without any visible disclosure, consent, or content filtering. In a bridge service this may be functionally expected, but it is still a real privacy and compliance concern if callers are unaware that their input leaves the local environment.

Ssd 3

Medium
Confidence
95% confidence
Finding
Persistently logging every user question and model answer into a shared SQLite database creates a concrete confidentiality risk. Prompts often contain secrets, personal data, internal business content, or regulated information; storing them in plaintext shared local storage increases exposure through local compromise, backup leakage, or accidental access by other processes/users.

Ssd 3

Medium
Confidence
93% confidence
Finding
Encouraging use of a built-in API key by default suggests shared or embedded credentials, which is unsafe operationally and can expose a sensitive secret to all users of the skill. If such a key is extracted or abused, attackers could consume paid API resources, access associated telemetry, or impersonate legitimate usage.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.