rivetkit
Provides guidance for building and debugging Rivet Actors, enhancing serverless workflows and actor-based applications.
Install this skill
Security score
The rivetkit skill was audited on Jun 24, 2026 and we found 26 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 311 | Don't build keys with string interpolation like `"org:${userId}"` when `userId` contains user data. Use arrays instead to prevent key injection attacks. |
Template literal with variable interpolation in command context
| 528 | if (!res.ok) throw new Error(`Task failed: ${res.status}`); |
Template literal with variable interpolation in command context
| 607 | console.log(`Account ${c.state.email} deleted`); |
Fetch to external URL
| 961 | await fetch("https://api.example.com/workers/init", { |
Fetch to external URL
| 975 | await fetch("https://api.example.com/workers/process", { |
Fetch to external URL
| 989 | await fetch("https://api.example.com/workers/shutdown", { |
Webhook reference - potential data exfiltration
| 1112 | - [Webhooks](reference/agent-os/webhooks.md) |
Access to .env file
| 106 | .env |
Access to .env file
| 116 | .env |
External URL reference
| 12 | If something is not working as intended or you are stuck, prompt the user to join the [Rivet Discord](https://rivet.dev/discord) or file an issue on the [Rivet GitHub](https://github.com/rivet-dev/riv |
External URL reference
| 44 | In local dev, no auth token is needed. In production, pass `Authorization: Bearer <inspector-token>`, where the inspector token is the actor-specific token auto-generated on first start and persisted |
External URL reference
| 52 | - Use inline links for key concepts: "Use [actor keys](https://rivet.dev/docs/actors/keys) to uniquely identify instances." |
External URL reference
| 60 | > Canonical URL: https://rivet.dev/docs/actors/actions |
External URL reference
| 67 | - Actions → `https://rivet.dev/docs/actors/actions` |
External URL reference
| 68 | - React client → `https://rivet.dev/docs/clients/react` |
External URL reference
| 69 | - Self-hosting on Kubernetes → `https://rivet.dev/docs/self-hosting/kubernetes` |
External URL reference
| 91 | - You must configure versioning for production builds. This is not needed for local development. See [Versions & Upgrades](https://rivet.dev/docs/actors/versions). |
External URL reference
| 122 | Use this as a base Dockerfile for deploying a RivetKit project. The `RIVET_RUNNER_VERSION` build arg is only needed when self-hosting or using a custom runner (not needed for Rivet Compute). It lets R |
External URL reference
| 303 | const client = createClient<typeof registry>("http://localhost:6420"); |
External URL reference
| 334 | const client = createClient<typeof registry>("http://localhost:6420"); |
External URL reference
| 774 | const client = createClient<typeof registry>("http://localhost:6420"); |
External URL reference
| 834 | const client = createClient<typeof registry>("http://localhost:6420"); |
External URL reference
| 901 | const client = createClient<typeof registry>("http://localhost:6420"); |
External URL reference
| 961 | await fetch("https://api.example.com/workers/init", { |
External URL reference
| 975 | await fetch("https://api.example.com/workers/process", { |
External URL reference
| 989 | await fetch("https://api.example.com/workers/shutdown", { |