Is deepwiki safe?

https://clawhub.ai/arun-8687/deepwiki

72
CAUTION

The deepwiki skill is a lightweight wrapper around the DeepWiki MCP server that proxies repository documentation queries to mcp.deepwiki.com. While the skill contains no prompt injection, no malicious code patterns, and no canary file tampering, it does transmit all user queries — including free-text questions that may contain conversational context — to a third-party server. The executable Node.js script with a hardcoded external endpoint represents a moderate supply-chain risk.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 50/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (7)

MEDIUM All queries sent to third-party server -25

The deepwiki.js script sends all user queries (repo names and free-text questions) to mcp.deepwiki.com via HTTPS POST. Any content the agent includes in the 'question' parameter is transmitted to DeepWiki's infrastructure. This is by design but represents a data flow that users should be aware of.

MEDIUM Persistent SSE connection to external server -20

The script establishes a Server-Sent Events connection to mcp.deepwiki.com that remains open until a response is received or a 30-second timeout occurs. During this window, the remote server could potentially push additional event types beyond the expected 'endpoint' and 'message' events.

MEDIUM Executable script with hardcoded external endpoint -30

The skill includes a Node.js script that makes outbound network requests to a hardcoded URL. While the current endpoint (mcp.deepwiki.com) appears legitimate, the script has no integrity verification, certificate pinning, or URL validation. A supply-chain compromise of this skill could redirect traffic to a malicious server.

LOW No input sanitization on command arguments -20

The repo name and question arguments from process.argv are passed directly into the JSON-RPC payload without any validation or sanitization. While this doesn't create a local injection risk (data is JSON-serialized, not passed to a shell), malformed inputs could cause unexpected behavior on the remote server.

LOW Sensitive file reads during install phase -25

During the clone/install phase, the monitoring detected reads of /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and auth-profiles.json. These appear to be from the OpenClaw runtime rather than the skill itself, but the .aws/credentials access is notable and warrants awareness.

INFO Clean SKILL.md with no injection attempts -10

The SKILL.md file contains straightforward documentation with CLI command examples. No hidden instructions, persona overrides, unicode tricks, or attempts to manipulate agent behavior were detected.

LOW Agent context leakage via question parameter -40

When an LLM agent uses this skill, it may include conversation context, user data, or inferred information in the free-text 'question' parameter. This data would be transmitted to DeepWiki's servers. Users may not realize that asking the agent to 'look up documentation' results in their conversational context being sent to a third party.