ClawHub

deepseek-balance

Security checks across malware telemetry and agentic risk

Overview

This skill does the advertised DeepSeek balance check, but it can send an Anthropic token to DeepSeek if a DeepSeek key is not set.

Install only if you will set DEEPSEEK_API_KEY explicitly. Do not run it in an environment where ANTHROPIC_AUTH_TOKEN is set unless that variable intentionally contains a DeepSeek API key; otherwise remove the fallback before use.

Publisher note

--- name: deepseek-balance description: 查询 DeepSeek API 账户余额 version: 1.0.0 tags: [deepseek, api, balance] --- # DeepSeek 余额查询技能 ## 执行代码 ```bash #!/bin/bash API_KEY="${DEEPSEEK_API_KEY:-$ANTHROPIC_AUTH_TOKEN}" if [ -z "$API_KEY" ]; then echo "❌ 请设置 DEEPSEEK_API_KEY 环境变量" exit 1 fi curl -s -X GET 'https://api.deepseek.com/user/balance' \ -H "Authorization: Bearer $API_KEY" \ | python3 -c " import sys,json d=json.load(sys.stdin) if d.get('is_available'): b=d['balance_infos'][0] print(f\"✅ 余额: {b['total_balance']} {b['currency']} (赠送: {b['granted_balance']})\") else: print('⚠️ 无可用余额') "

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill explicitly falls back to using ANTHROPIC_AUTH_TOKEN for a DeepSeek API request, which repurposes a credential intended for a different service. This creates a cross-service secret misuse risk: the skill can transmit a sensitive token outside its stated purpose, potentially leaking or misusing credentials if the token is valid for another endpoint or if operators assume it will never leave the Anthropic context.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal