Back to skill

Security audit

Reve AI Image Generation

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it uses a Reve AI API key to generate, edit, or remix images, with external upload of prompts and selected images as the main privacy consideration.

Install only if you intend to use Reve AI. Use a dedicated, revocable Reve API key, expect credit usage, and do not submit prompts or images that you are not comfortable sending to Reve's servers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill requires environment variables for an API key and sends requests to Reve's external API, which implies env and network capabilities, but those permissions are not explicitly declared. This creates a transparency and governance gap: users or platforms may invoke the skill without clear notice that secrets are accessed and data is transmitted externally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description omits a clear warning that user prompts and input images are sent to an external third-party service. Because prompts and images may contain sensitive or proprietary data, this lack of disclosure can lead to unintentional data exfiltration to Reve AI.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The edit command reads a local image file, base64-encodes it, and sends it to Reve's remote API as `reference_image` without any explicit runtime warning or confirmation that the file contents will leave the local machine. In a CLI skill context, users may supply sensitive local images assuming local processing, so silent external upload creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The remix command uploads one or more local reference images to a third-party API via `reference_images: inputs.map(loadImageBase64)` without an explicit warning that these files are transmitted externally. Because remix accepts multiple images, the privacy exposure can be larger and may include personal, proprietary, or otherwise sensitive content.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/reve.ts:14