ClawHub
Back to skill

Security audit

DeepLink Agentic

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed client for a real-estate research service, but it handles account tokens and remote task data that users should treat carefully.

Install only if you trust agentic.dichanai.com with the prompts and files you choose to send. Use a limited or short-lived AGENTIC_TOKEN where possible, do not share terminal output containing NEW_TOKEN, and treat delete/share as high-impact actions because delete removes remote tasks and share can make task contents publicly accessible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill invokes a Python script that uses both an environment secret (AGENTIC_TOKEN) and outbound network access to a third-party service, yet it does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: users and the hosting platform may not realize the skill can exfiltrate user prompts, uploaded files, and token-derived data to an external endpoint.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s stated purpose is deep real-estate research, but this CLI includes broad account and task administration capabilities such as profile retrieval, deletion, sharing, token renewal, and schedule management. That scope expansion increases attack surface and enables actions beyond the minimum required for research execution, violating least-privilege expectations for a narrowly described skill.

Context-Inappropriate Capability

Low
Confidence
81% confidence
Finding
User profile retrieval is not necessary for creating or retrieving real-estate research tasks, so exposing it widens data access beyond the declared function of the skill. Even if the endpoint is legitimate, unnecessary identity or account metadata access creates avoidable privacy and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatic token expiry checking and renewal are administrative credential-management features, not core real-estate research functionality. In this implementation they also culminate in printing a fresh credential, making the scope expansion more sensitive because the skill handles and reveals bearer tokens.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The share command makes a task public and generates a public URL, which is not inherently required for deep research execution. Because research tasks may contain uploaded documents, outputs, or internal analysis, enabling publication inside a research skill creates a direct confidentiality exposure path.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
Task deletion is an administrative action outside the core stated workflow of running and retrieving research. Including destructive controls in a broadly usable skill increases the chance of accidental or unauthorized loss of task history and associated workspace files.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The code prints the full renewed bearer token to stdout, which can be captured by terminal history, logs, CI output, shell recording tools, or other local observers. Any party obtaining that token can likely act as the user against the remote service until expiry.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The delete command immediately destroys a task with no confirmation prompt, safety interlock, or warning about irreversibility. This makes accidental invocation, script misuse, or prompt-induced misuse materially more likely to cause data loss.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The public sharing command lacks an explicit warning that it publishes the task via a shareable URL. Users may not realize that research outputs and uploaded materials could become accessible to others, creating confidentiality and compliance risks.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.