revx-auth
Fail
Audited by Snyk on Apr 29, 2026
Risk Level: HIGH
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt explicitly asks for a 64-character API key and shows commands like
revx configure set --api-key <key>, which would require embedding the secret verbatim in generated output/commands, creating a high exfiltration risk.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly for Revolut X — a financial/exchange CLI. It details generating an Ed25519 keypair, registering the public key at exchange.revolut.com, and setting a 64-character API key with the "Allow usage via Revolut X MCP and CLI" option and "write-operation security". These are specific, non-generic steps to provision credentials that enable API access to an exchange (and thus enable placing orders/managing funds via related CLI commands such as revx-trading). Because it directly configures API keys for a financial platform rather than being a generic tool, it grants (or enables) direct financial execution capability.
Issues (2)
W007
HIGHInsecure credential handling detected in skill instructions.
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata