Chat DeepSeek by Browser

Security checks across malware telemetry and agentic risk

Overview

This DeepSeek browser skill is documented to handle login QR codes and send them through external messaging channels, which is too sensitive and under-scoped for a chat automation skill.

Install only if you are comfortable letting the skill control a browser session and send your DeepSeek prompts to chat.deepseek.com. Do not allow it to send login QR codes, screenshots, cookies, tokens, or phone numbers through messaging channels; prefer a separate isolated browser profile and complete login manually in the browser.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (15)

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill's stated purpose is to automate chatting with DeepSeek, but the documentation expands that behavior into capturing login QR codes and distributing them over other messaging channels. A login QR is an authentication artifact, so broadening scope from browser automation to credential-handling and external transmission materially increases account takeover and privacy risk.

Context-Inappropriate Capability

High

Confidence: 96% confidence
Finding: These lines instruct the agent to send login QR screenshots through iMessage, WhatsApp, QQBot, Slack, and similar channels, which is unrelated to the minimal need of interacting with a web chat page. Sending authentication material across multiple channels creates unnecessary exposure, widens the attack surface, and can leak account access material to unintended recipients or compromised integrations.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Reading a stored phone number from environment variables or configuration for a browser-chat skill introduces unnecessary access to personal contact data and ties the skill to an exfiltration workflow. Even if intended for convenience, this extends the skill beyond its stated purpose and enables automated transmission of sensitive material to external targets.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The documented shell commands automate sending QR-code screenshots via iMessage, WhatsApp, and QQBot, directly operationalizing exfiltration of login artifacts through external services. This is dangerous because it combines browser capture, local file handling, and outbound messaging into a single unattended flow that could leak sensitive authentication material and user metadata.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill's stated purpose is to automate DeepSeek chat interactions, but the workflow expands into capturing authentication QR codes and transmitting them over external messaging channels. This materially broadens data handling and account-access behavior beyond the core function, creating a pathway for credential interception, privacy violations, and unauthorized login assistance.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill instructs use of stored phone numbers and outbound messaging tools to send login artifacts and notifications, which are not necessary for answering user questions via DeepSeek. This creates unnecessary collection and use of personal contact data and enables unsolicited or covert transmission of sensitive authentication material to third-party channels.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill recommends attaching to the real user Chrome profile via remote debugging, which can expose unrelated tabs, cookies, sessions, saved state, and authenticated websites far beyond DeepSeek. In an agent context, this significantly enlarges the trust boundary and could permit access to sensitive browser data unrelated to the requested task.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs sharing login QR-code screenshots and using phone-targeted messaging without any explicit warning, consent gate, or discussion of the sensitivity of those artifacts. In context, the omitted safety controls make the workflow more dangerous because the material being shared is directly tied to authentication and personal contact data.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The package metadata uses a broad description and multiple generic aliases such as "ask-deepseek", "open-deepseek", and "deepseek-search", which can cause the skill to match common user requests intended generally for DeepSeek rather than specifically this browser-automation skill. Because the skill opens a website, logs in, and forwards user prompts to a third-party service, overbroad invocation increases the chance of unintended activation and unnecessary disclosure of user queries to an external platform.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill directs sending QR-code screenshots and user phone numbers through messaging channels without a clear, explicit privacy notice or just-in-time consent. Authentication artifacts and contact details are sensitive, and sharing them externally increases the chance of disclosure, retention, or misuse by other services or operators.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Recommending the user's live Chrome profile and remote debugging without a prominent warning obscures the extent of browser-state exposure. Users may reasonably expect only DeepSeek access, while the implementation can potentially observe or interact with unrelated tabs and authenticated sessions.

Ssd 3

High

Confidence: 98% confidence
Finding: This section gives a natural-language procedure for capturing a login QR code and distributing it using a stored phone number until access is obtained. That is effectively an account-access acquisition workflow, and in this context the step-by-step guidance for moving authentication material off-platform is strongly indicative of credential exposure behavior rather than ordinary chat automation.

Ssd 4

High

Confidence: 94% confidence
Finding: The skill narrates a multi-step process that begins with normal browser setup and then escalates into repeated capture and re-sending of login artifacts until the user account is accessible. That staged progression increases danger because it normalizes suspicious actions as part of a routine workflow and systematically works around login friction to obtain access.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly instructs the agent to capture login QR codes and forward them using stored user contact details through messaging tools. This operationalizes the handling and redistribution of sensitive authentication material, which could enable account compromise or unauthorized disclosure if intercepted, misrouted, or abused.

Ssd 4

High

Confidence: 97% confidence
Finding: The staged workflow repeatedly checks login state, captures authentication QR codes, and re-sends them until access is obtained, which is a risky automation pattern around authentication. Even if intended for convenience, it normalizes repeated export of login challenges and could facilitate unauthorized account access, social engineering, or covert persistence in obtaining a session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal