Chat DeepSeek by Browser

Security checks across malware telemetry and agentic risk

Overview

The skill is a transparent DeepSeek browser automation helper, but it asks for broad command access and tells the agent to forward login QR-code screenshots through messaging apps.

Review before installing. Use a dedicated browser profile and avoid sending secrets or sensitive personal data. Prefer scanning the DeepSeek login QR code directly in the local browser, and do not let the skill forward QR screenshots through iMessage, WhatsApp, Signal, or other channels unless you fully trust the destination and understand the account-access risk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The documented workflow sends DeepSeek QR-code screenshots and chat outputs through external messaging channels that are outside the skill's stated browser-automation purpose. This creates a clear data-exfiltration path for sensitive login artifacts and conversation content, especially because QR codes can enable account access and messages may contain private user data.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The manifest grants broad Bash, curl, npm/npx, file read/write, and web fetch capabilities even though the stated function is just automating a browser chat session. Excessive permissions increase blast radius: a compromised or misused skill could access files, invoke arbitrary commands, or transmit data externally far beyond what is needed for DeepSeek interaction.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill’s stated purpose is browser-based DeepSeek chat automation, but it additionally instructs the agent to transmit login QR-code screenshots over unrelated channels such as iMessage, WhatsApp, and Signal. That expands the data-exfiltration surface and can expose authentication artifacts or sensitive browser state outside the intended workflow without any clear trust boundary or user-consent guardrails.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill is designed to relay user prompts and model responses, and the documentation also references forwarding content through external channels, but it does not provide a meaningful privacy notice or consent flow. That can cause sensitive user data or AI outputs to be disclosed or retained by unintended systems without the user's informed approval.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The QR-code sharing flow instructs the system to capture a login QR code and transmit it over iMessage, WhatsApp, or Signal without an explicit warning about the sensitivity of that artifact. Login QR codes are authentication material, so forwarding them through external channels materially increases account-takeover and interception risk.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrases are overly broad everyday language such as asking something to DeepSeek, which can cause the skill to activate in situations where the user did not clearly consent to sending their prompt to a third-party website. In an agent environment, ambiguous routing increases the chance of unintentional data disclosure to external services.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill description omits a clear warning that user messages will be sent to chat.deepseek.com, a third-party service. Without that disclosure, users and orchestrators may treat the skill like a local automation utility and inadvertently expose sensitive prompts, account data, or regulated information.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The documentation directs the agent to capture a login QR code and send it through messaging channels, but provides no explicit warning about the sensitivity of authentication material or the risks of forwarding it. Authentication artifacts should be treated as highly sensitive because interception, misdelivery, or persistence in messaging histories could enable account compromise or abuse.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill explicitly instructs capturing a login QR code from the browser and forwarding it to external messaging channels. That creates a direct path for exfiltrating authentication material, broadens exposure to additional platforms and recipients, and undermines the security expectations of a browser-only login flow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal