LH DeepWiki

Security checks across malware telemetry and agentic risk

Overview

This skill is a small DeepWiki client that sends user-chosen public GitHub repository queries to DeepWiki and prints the response.

Use this skill for public repositories and non-sensitive questions. Do not include secrets, private repository identifiers, credentials, or confidential business details in queries, because the repo name, path, and question may be sent to DeepWiki.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends user-supplied repository names and query content to an external service at mcp.deepwiki.com, but it does not provide any explicit user-facing disclosure at execution time that this data leaves the local environment. In an agent-skill context, users may reasonably assume a documentation query is handled locally, so this can cause unintended disclosure of private repository identifiers, paths, or sensitive questions entered into the tool.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal