Deepseek R1 Guide

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only DeepSeek API guide; its main caveat is that the examples send prompts to DeepSeek if the user chooses to run them.

Install as a reference guide only if you are comfortable with optional examples that call DeepSeek services. Treat sk-xxx as a placeholder, store real keys in environment variables or a secret manager, and avoid sending confidential code, secrets, personal data, or regulated content to third-party APIs unless your policy allows it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill includes multiple examples that send user prompts and API credentials to DeepSeek's remote service, but it does not warn users that their inputs may leave the local environment or have privacy/compliance implications. In an AI-assistant skill context, this omission can cause users to paste sensitive code, secrets, or internal data into third-party APIs without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal