Krea.ai API

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Krea.ai image-generation client, with the main caution being careful handling of the Krea API secret.

Use the credential file approach with chmod 600 rather than passing --key-id and --secret on the command line, consider using a dedicated or revocable Krea API key, and monitor Krea usage because image generation may consume credits.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The README explicitly tells users to provide `--key-id` and `--secret` on the command line, which can expose credentials through shell history, process listings, audit logs, or screenshots. In this skill context, these are real API secrets for a third-party service, so the guidance materially increases the chance of credential leakage during normal use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal