Deepseek V4

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward DeepSeek command-line helper that sends user prompts to DeepSeek using the expected API key, with no hidden or destructive behavior found.

Install only if you are comfortable sending prompts, system prompts, and chat history to DeepSeek's external API. Keep DEEPSEEK_API_KEY private, avoid storing it in shared shell history or logs, and do not submit confidential or regulated data unless that use is approved.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script sends the user's prompt and optional system prompt to DeepSeek's remote API, but it does not clearly warn the user at the point of use that their input will leave the local machine. This creates a privacy and data-handling risk, especially if users paste secrets, proprietary code, or sensitive operational data into the CLI under the assumption it runs locally.

Missing User Warnings

Medium

Confidence: 79% confidence
Finding: The script sends conversation contents, including system prompts, prior messages, and user input, to an external third-party API without an explicit privacy or data-handling warning at the point of use. In an agent-skill context, users may paste secrets, internal prompts, or sensitive operational data, so undisclosed off-device transmission creates meaningful confidentiality risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal