Reveyes Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a focused Amazon review fetcher that uses a declared Reveyes API key and helper script without hidden or unrelated behavior.

Install only if you trust Reveyes and the reveyes Python package. Treat REVEYES_API_KEY as a secret, avoid committing it to dotfiles or config, rotate it if exposed, and keep page counts small because the service uses credits per page.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares use of an environment secret (`REVEYES_API_KEY`) and instructs execution of a local Python script, but does not declare explicit permissions for secret access or code execution. This creates a capability/permission mismatch that can cause the runtime to grant broader access implicitly or make security review miss that the skill can invoke code using sensitive credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal