Revolut Business

What to consider before installing/running: - Provenance: the skill's source is listed as unknown; the README points to a GitHub repo. Prefer installing or running code from a known, trusted upstream and compare the files to that upstream repo. - Metadata mismatch: the code requires REVOLUT_CLIENT_ID and REVOLUT_ISS_DOMAIN and creates private.pem/certificate.pem/tokens.json, but the registry metadata does not declare these env vars/credentials — treat this as a red flag and verify values yourself. - Sensitive files: the skill will generate and store an RSA private key and OAuth tokens in ~/.clawdbot/revolut. Set strict filesystem permissions (chmod 700 ~/.clawdbot/revolut, chmod 600 private.pem/tokens.json) and only run on machines you control. - Unexpected .env access: the code tries to load a .env from ~/clawd/.env and a parent-directory .env as a fallback. If you have other secrets in such files, the skill may read them. Either remove/lock those .env files or edit the script to stop reading them before running. - Interactive setup behaviors: setup.py runs local shell commands (openssl, clipboard utilities), queries ifconfig.me for the public IP, and opens browsers. Run setup interactively on a secure host and inspect the script if you have concerns. - Review JWT claims/audience: the scripts set aud to https://revolut.com and call the b2b API; this is consistent in the included code but verify with Revolut docs for your account. - Least privilege: don't run this on a shared CI runner or multi-user server where other users could access ~/.clawdbot/revolut. Consider running inside a dedicated VM or container. If you are not comfortable, ask the publisher for the canonical repo URL and sign-off, or request that the skill metadata be corrected to list required env vars before installation.