Revolut X
ReviewAudited by ClawScan on May 15, 2026.
Overview
This is a coherent Revolut X CLI guide, but it can give the agent user-approved access to API keys, real-money crypto trading, background bots, and Telegram notifications.
Install this only if you want the agent to help operate Revolut X through the revx CLI. Verify the external CLI source, use least-privileged API keys, review every trading confirmation, dry-run grid bots before live use, keep Telegram/API tokens private, avoid broad allowlists, and stop background tasks when finished.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved with incorrect details, the agent could place, modify, or cancel real crypto orders.
The skill exposes Bash-driven order placement, replacement, and cancellation on a crypto exchange; the instructions require explicit confirmation, so this is purpose-aligned but high-impact.
**NEVER execute `revx order place`, `revx order replace`, or `revx order cancel` without explicit user confirmation.** These commands move real money.
Review the pair, side, size, order type, and price before approving any trading command; avoid broad Bash allowlists for trading actions.
A launched bot can keep running and trading until stopped, and crashed sessions may reconcile state on restart.
The grid bot is intentionally long-running and persistent, and live mode can place orders; the artifact discloses this and requires confirmation for live trading.
`revx strategy grid run` ... runs **indefinitely** as a continuous polling loop ... `run_in_background: true` ... **Persistence:** State auto-saved for crash recovery.
Use dry-run first, monitor the background task, know how to stop it, and use reset/cleanup options only when you understand their effect.
An API key configured for the CLI may allow account queries and trading actions depending on the permissions granted in Revolut X.
The skill requires Revolut X API credentials and local key material for authenticated exchange actions; this is expected for the stated purpose but should be treated as sensitive authority.
Prompt for the 64-character API key ... `revx configure set --api-key <64-char-key>`
Create the least-privileged API key that supports your intended use, protect the private key/config directory, and revoke the key when no longer needed.
The local machine will run code from the npm package, including code that handles exchange credentials and trading commands.
The skill installs and relies on an external global npm CLI package that is not included in the scanned bundle; package installation is central to the purpose but depends on npm/source trust.
`npm install -g @revolut/revolut-x-cli && npm link @revolut/revolut-x-cli`
Verify the npm package and repository, prefer a pinned/known version if available, and install only from the expected Revolut source.
Telegram messages may reveal trading activity, fills, and profit/loss information to anyone with access to the configured chat or bot token.
The Telegram connector intentionally sends trading and alert information to Telegram chats; this is disclosed and user-configured, but it creates an external data path.
**Monitor alerts** ... are automatically sent as Telegram messages ... **Grid bot events** ... send notifications on startup, shutdown, fills, and P&L changes
Use a dedicated bot and trusted chat, keep the bot token private, and revoke/regenerate the token if it is exposed.
Allowed recurring commands may run without repeated prompts, which is convenient but reduces per-run review.
The skill documents changing local agent permissions to avoid repeated prompts for looped account queries; it requires user approval and specifically forbids a blanket revx allowlist.
ask for permission to add them to the allowlist ... `Bash(revx account balances*)` ... Do NOT add a blanket `Bash(revx *)`
Only approve narrow allowlist entries for read-only commands you understand, and do not allow broad patterns that could cover trading actions.