RevenueCat
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward RevenueCat helper, but it needs a RevenueCat secret API key and can access sensitive customer and subscription business data.
Install only if you are comfortable giving the agent RevenueCat API access. Use a least-privileged key, prefer read-only access for analytics and customer lookup, and require explicit confirmation before any write, delete, refund, cancel, or configuration-changing RevenueCat action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill with a broad key may let the agent read sensitive RevenueCat project, subscription, and customer data.
The skill requires a RevenueCat secret key to access the user's project. This is expected for the stated purpose, but it grants project/account-level API access depending on the key's permissions.
Set `RC_API_KEY` environment variable, which should be a v2 secret API key. ... Your RevenueCat API key allows access to a single project.
Use the least-privileged RevenueCat API key available, preferably scoped to the intended project and read-only tasks, and rotate it if it is exposed.
The agent could retrieve more RevenueCat data than the user intended, such as broad customer or project listings, if asked or if it chooses an overly broad endpoint.
The wrapper lets the agent choose the RevenueCat API endpoint path. The host and method are fixed to RevenueCat GET requests, so this is purpose-aligned, but broad reads are possible if the endpoint is not scoped carefully.
ENDPOINT="$1"
BASE_URL="https://api.revenuecat.com/v2"
curl -s -X GET "${BASE_URL}${ENDPOINT}" \Keep API calls narrowly scoped, use pagination and filters, and avoid dumping broad customer datasets unless the user explicitly requests it.
If used beyond read-only queries, RevenueCat actions like customer deletion, refunds, cancellations, or product/configuration changes could affect customers and business operations.
The local reference catalog includes high-impact administrative RevenueCat operations. The artifacts do not automate these operations and the provided script is GET-only, but the docs could be used to guide write/delete/refund actions if the user asks for them.
Customers ... CRUD, attributes, aliases, entitlements, subscriptions, purchases, invoices, virtual currencies, actions ... Subscriptions ... cancel, refund ... Products ... CRUD
Treat POST, DELETE, refund, cancel, and configuration-changing endpoints as requiring explicit user confirmation and an appropriately scoped key.