Revolut
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears purpose-aligned, but it stores and reuses a Revolut banking browser session and local credential/config state, so it needs careful review before use.
Install only if you trust this skill and the workspace where it will run. Treat Revolut session files, QR/login artifacts, outputs, and any configured PIN as sensitive banking material; run `logout` after use and consider inspecting the full `scripts/revolut.py` before relying on it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the workspace or saved session is accessible, future agent runs or local processes could access sensitive Revolut balances, portfolio, or transaction data without a fresh login until the session is removed.
This documents local persistence of a Revolut banking session and credential/config material. Even though it is purpose-aligned, a reusable online-banking session is high-impact and remains available until logout removes it.
Always call `logout` after completing all operations to delete the stored browser session. ... Per-user state stored in `{workspace}/revolut/` ... No `.env` file loading — credentials in config.json only.Use only in a trusted workspace, avoid storing the PIN unless necessary, protect `{workspace}/revolut/config.json` and session files, and run `logout` or manually delete the Revolut state after each use.
Incorrect or unexpected invocation could access live banking pages and financial data under the logged-in session.
The skill launches a persistent Playwright browser profile to interact with Revolut. Browser automation is central to the stated purpose, but it means the agent is driving a real logged-in banking web session.
context = p.chromium.launch_persistent_context(
user_data_dir=str(profile_dir),
headless=headless,
...
user_agent=DEFAULT_UA,
)Invoke the skill only for specific requested tasks, review date ranges and output paths, and keep the login/logout flow under user supervision.
A future dependency or browser change could affect what code runs locally or how the automation behaves.
Setup downloads Playwright and a Chromium browser without pinned versions. This is normal for Playwright-based automation, but dependency behavior can change over time.
pip install playwright playwright install chromium
Install from trusted package sources, consider pinning Playwright versions, and use a controlled environment for banking automation.