Back to skill

Security audit

Revolut Business

Security checks across malware telemetry and agentic risk

Overview

This is a real Revolut Business CLI, but it gives an agent live banking authority and has several safeguards missing around money movement and credential storage.

Install only if you intentionally want an agent-accessible Revolut Business tool. Restrict the Revolut API certificate and IP allowlist, protect ~/.clawdbot/revolut/, avoid autonomous use for payments, FX, or transfers, prefer draft payments, and review amounts, currencies, recipients, and export paths before running commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (11)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def run(cmd):
    return subprocess.run(cmd, shell=True, capture_output=True, text=True)


def main():
Confidence
97% confidence
Finding
return subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities that access environment variables, read and write sensitive files, invoke shell commands, and communicate over the network, yet it declares no permissions. That creates a transparency and trust problem: users and any execution framework cannot accurately assess or constrain what the skill can do, especially since it handles financial credentials and token material.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description understates several powerful behaviors: key and certificate generation, clipboard interaction, public IP discovery, browser launching, and shell command execution during setup. In a financial API skill, hidden or under-disclosed capabilities are particularly dangerous because they expand the attack surface around secrets, local system interaction, and outbound communications beyond what a user would reasonably expect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The export command writes detailed financial transaction data, including merchant names, balances, descriptions, and card-related fields, to an arbitrary local path without any warning, permission hardening, or redaction. In an agent/CLI context, this increases the chance of sensitive business data being persisted to insecure locations, synced folders, or world-readable files where it can be later exposed.

Missing User Warnings

High
Confidence
93% confidence
Finding
The exchange command performs a live currency exchange immediately with no user confirmation, dry-run, quote review, or clear warning that the action is irreversible. In a financial automation skill, this is dangerous because accidental invocation, parameter mix-ups, or autonomous agent behavior can directly cause real monetary loss.

Missing User Warnings

High
Confidence
94% confidence
Finding
The transfer command executes an internal funds movement without any confirmation prompt or pre-execution disclosure. Even though it is between owned accounts, mistakes in account IDs, currency, or amount can move significant business funds and create operational or reconciliation issues instantly.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
# Payments
revolut pay -c "Lisa Dreischer" --amount 50.00 -r "Lunch"
revolut pay -c "Lisa Dreischer" --amount 50.00 --draft    # Draft (approve in app)
revolut pay -c "Lisa Dreischer" --amount 50.00 --yes      # Skip confirmation

# Currency Exchange
revolut fx --amount 100 --sell EUR --buy USD
Confidence
88% confidence
Finding
Skip confirmation

Unvalidated Output Injection

High
Category
Output Handling
Content
def run(cmd):
    return subprocess.run(cmd, shell=True, capture_output=True, text=True)


def main():
Confidence
98% confidence
Finding
subprocess.run(cmd, shell=True, capture_output

Credential Access

High
Category
Privilege Escalation
Content
def refresh_access_token():
    """Refresh the access token using refresh_token."""
    tokens = load_tokens()
    if not tokens or "refresh_token" not in tokens:
        print("ERROR: No refresh token. Run 'revolut auth' first.", file=sys.stderr)
Confidence
91% confidence
Finding
access token

Credential Access

High
Category
Privilege Escalation
Content
def get_access_token():
    """Get a valid access token, refreshing if needed."""
    tokens = load_tokens()
    if not tokens:
        print("ERROR: Not authenticated. Run 'revolut auth' first.", file=sys.stderr)
Confidence
89% confidence
Finding
access token

Tool Parameter Abuse

High
Category
Tool Misuse
Content
def run(cmd):
    return subprocess.run(cmd, shell=True, capture_output=True, text=True)


def main():
Confidence
96% confidence
Finding
subprocess.run(cmd, shell=True

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.