ClawHub

DeepRead Agent Self Sign Up

Security checks across malware telemetry and agentic risk

Overview

This skill is a transparent DeepRead setup helper that creates an API key with user approval, but the key and any test documents should be handled carefully.

Install only if you intend to authorize an agent to use your DeepRead account. Complete the browser approval yourself, keep DEEPREAD_API_KEY out of logs and source control, prefer a secrets manager for persistence, and use a disposable non-confidential PDF when testing the key.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares no permissions even though it clearly performs network access, shell execution, and sets environment variables. This mismatch can undermine platform trust and review controls because consumers may not realize the skill can contact external services and handle credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The manifest explicitly declares that the skill will produce a sensitive credential, DEEPREAD_API_KEY, but provides no accompanying warning, consent language, or guidance on safe handling, storage, or scope of access. In an agent setup context, this increases the risk that users or downstream tooling will treat the credential as ordinary output, leading to accidental logging, persistence, or reuse in unsafe contexts.

External Transmission

Medium
Category
Data Exfiltration
Content
Submit a test document to confirm the key is valid:

```bash
curl -s -X POST https://api.deepread.tech/v1/process \
  -H "X-API-Key: $DEEPREAD_API_KEY" \
  -F "file=@test.pdf"
```
Confidence
88% confidence
Finding
curl -s -X POST https://api.deepread.tech/v1/process \ -H "X-API-Key: $DEEPREAD_API_KEY" \ -F "file=@test.pdf" ``` A successful response returns a job ID confirming the key works: ```json { "id

External Transmission

Medium
Category
Data Exfiltration
Content
Submit a test document to confirm the key is valid:

```bash
curl -s -X POST https://api.deepread.tech/v1/process \
  -H "X-API-Key: $DEEPREAD_API_KEY" \
  -F "file=@test.pdf"
```
Confidence
88% confidence
Finding
https://api.deepread.tech/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal