GEO Performance Analysis DeepSeek

Security checks across malware telemetry and agentic risk

Overview

This skill performs the advertised DeepSeek-based brand visibility analysis, with ordinary API-key, external-data, and dependency risks that users should understand.

Install in an isolated Python environment, consider pinning reviewed dependency versions, and use a dedicated DeepSeek API key with usage limits. Do not analyze confidential or embargoed brand/category information unless DeepSeek's data handling and token costs are acceptable.

SkillSpector

By NVIDIA

Vulnerability Patterns

Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (6)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The documented trigger phrases are broad and do not define clear boundaries, so an agent may invoke this skill for loosely related requests about brand analysis or AI visibility without sufficient user intent. Because the skill sends user-supplied brand and category data to an external API, unintended activation can cause unnecessary data disclosure, unexpected costs, and workflow hijacking away from safer or more appropriate skills.

Unpinned Dependencies

Low

Category: Supply Chain
Content: openai>=1.0.0 pydantic>=2.0.0 python-dotenv>=1.0.0
Confidence: 93% confidence
Finding: openai>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: openai>=1.0.0 pydantic>=2.0.0 python-dotenv>=1.0.0
Confidence: 95% confidence
Finding: pydantic>=2.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: openai>=1.0.0 pydantic>=2.0.0 python-dotenv>=1.0.0
Confidence: 91% confidence
Finding: python-dotenv>=1.0.0

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High

Category: Supply Chain
Confidence: 86% confidence
Finding: pydantic

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 72% confidence
Finding: python-dotenv

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal