Is dpaluy/reve-ai safe?

https://github.com/openclaw/skills/tree/main/skills/dpaluy/reve-ai

84
SAFE

dpaluy/reve-ai is a clean, well-structured skill for the Reve AI image generation API with no prompt injection attempts, no malicious exfiltration endpoints, and installation that touched only the expected skill directory. The primary concern is an inherent design pattern: the image-edit and remix commands read arbitrary file paths and transmit their raw bytes to api.reve.com, creating an indirect exfiltration vector if an agent is manipulated into pointing the -i flag at sensitive files. Canary files were untouched and network activity during installation was limited to GitHub.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM Arbitrary file-read piped to external API -30

scripts/reve.ts:loadImageBase64() reads the file at whatever path is passed via the -i CLI flag, base64-encodes the raw bytes, and transmits them in the JSON body of a POST to https://api.reve.com/v1/image/edit or /remix. If an agent is instructed (via crafted user message or prompt injection from another source) to 'edit this file' pointing to ~/.env, ~/.ssh/id_rsa, or other secrets, those file contents are sent to api.reve.com. The API key also travels in the Authorization header, meaning a compromised Reve account could be used to retrieve submitted 'images'.

LOW Unconstrained output file path allows overwrite -10

The -o / --output flag accepts any filesystem path with no validation. An agent could be directed to write generated image output to a sensitive path (e.g., ~/.ssh/authorized_keys, ~/.bashrc), overwriting it with binary image data.

LOW Executable TypeScript CLI script present -18

The skill ships scripts/reve.ts designed to be executed directly via 'bun scripts/reve.ts'. This is expected and documented, but represents a code-execution surface. The code is readable, straightforward, and does not attempt to run shell commands or download additional payloads.

LOW Canary file accesses observed in monitoring (audit-harness attributed) -20

The inotify and auditd logs show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials being opened at 09:40:17 (5 seconds before installation) and again at 09:40:40 (after install). Chronological analysis indicates these match the Oathe audit harness's own pre/post baseline read-back pattern rather than any code present in the skill. The canary integrity check confirms all files are unmodified and no exfiltration occurred.

INFO API credit drain via repeated invocation -20

Each create/edit/remix call consumes Reve AI credits (example response shows credits_used: 18). An agent that loops or is tricked into calling this skill repeatedly could exhaust the user's Reve account balance with no rate limiting enforced by the skill itself.

INFO <img>N</img> XML-like tag syntax in SKILL.md -5

SKILL.md documents a prompt syntax using XML-like N tags for the remix command. This is a legitimate Reve API feature for referencing images by index. No injection risk identified — the tags are passed as string data to the API, not interpreted by the agent's system prompt.