ClawHub

Revolut Business

v1.0.1

Revolut Business API CLI — accounts, balances, transactions, counterparties, payments, FX exchange, CSV export. Auto-refreshes OAuth tokens. Business accounts only (not personal).

1· 1.7k·0 current·0 all-time
by@christianhaberl
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, README, SKILL.md and scripts implement a Revolut Business CLI and only require python3 — that matches the stated purpose. However the registry metadata claims no required environment variables/primary credential even though the code expects REVOLUT_CLIENT_ID and REVOLUT_ISS_DOMAIN and stores keys/tokens under ~/.clawdbot/revolut. The omission in metadata is an inconsistency.
!
Instruction Scope
SKILL.md and setup.py largely stay within the Revolut onboarding and API usage flow (generate RSA key, upload X509 cert, OAuth code exchange, token refresh). But the runtime code includes a load_env() routine that will read other .env files (e.g., ~/clawd/.env and a parent-path .env) to populate credentials if not set in the environment — this reads user workspace env files outside the skill's directory and could surface unrelated secrets. setup.py also runs shell commands (openssl, curl, clipboard tools) and performs network calls during interactive setup — expected for setup, but worth noting.
Install Mechanism
No external install spec or remote downloads — the skill is instruction+script based and uses standard Python libraries (PyJWT, cryptography). Nothing is being fetched from untrusted URLs or executed from arbitrary archives in the manifest.
!
Credentials
The functionality legitimately needs a client ID, issuer domain and a private key/certificate. But the registry metadata doesn't declare the required env vars (REVOLUT_CLIENT_ID, REVOLUT_ISS_DOMAIN). Additionally, load_env() attempts to read unrelated .env files (e.g. ~/clawd/.env or a .env found by walking up directories), which is disproportionate for this CLI and risks accidentally exposing unrelated secrets.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It persists credentials under ~/.clawdbot/revolut which is appropriate for a CLI; ensure the directory and files have tight permissions.
What to consider before installing
What to consider before installing/running: - Provenance: the skill's source is listed as unknown; the README points to a GitHub repo. Prefer installing or running code from a known, trusted upstream and compare the files to that upstream repo. - Metadata mismatch: the code requires REVOLUT_CLIENT_ID and REVOLUT_ISS_DOMAIN and creates private.pem/certificate.pem/tokens.json, but the registry metadata does not declare these env vars/credentials — treat this as a red flag and verify values yourself. - Sensitive files: the skill will generate and store an RSA private key and OAuth tokens in ~/.clawdbot/revolut. Set strict filesystem permissions (chmod 700 ~/.clawdbot/revolut, chmod 600 private.pem/tokens.json) and only run on machines you control. - Unexpected .env access: the code tries to load a .env from ~/clawd/.env and a parent-directory .env as a fallback. If you have other secrets in such files, the skill may read them. Either remove/lock those .env files or edit the script to stop reading them before running. - Interactive setup behaviors: setup.py runs local shell commands (openssl, clipboard utilities), queries ifconfig.me for the public IP, and opens browsers. Run setup interactively on a secure host and inspect the script if you have concerns. - Review JWT claims/audience: the scripts set aud to https://revolut.com and call the b2b API; this is consistent in the included code but verify with Revolut docs for your account. - Least privilege: don't run this on a shared CI runner or multi-user server where other users could access ~/.clawdbot/revolut. Consider running inside a dedicated VM or container. If you are not comfortable, ask the publisher for the canonical repo URL and sign-off, or request that the skill metadata be corrected to list required env vars before installation.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💶 Clawdis
Binspython3
latestvk976dwcpdnbmrxty63hcgp382s809fh6
1.7kdownloads
1stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@christianhaberl
latest
Download

Revolut Business API

Full CLI for Revolut Business — accounts, transactions, payments, FX, exports.

Entry point: python3 {baseDir}/scripts/revolut.py

Setup

Interactive Setup Wizard (recommended)

python3 {baseDir}/scripts/setup.py

Walks you through everything: key generation, Revolut certificate upload, OAuth callback, authorization.

Manual Setup

  • Python 3.10+, pip install PyJWT cryptography
  • Revolut Business account with API certificate
  • See README for detailed step-by-step guide

Credentials

Stored in ~/.clawdbot/revolut/:

  • private.pem — RSA private key (for JWT signing)
  • certificate.pem — X509 cert (uploaded to Revolut)
  • tokens.json — OAuth tokens (auto-managed)
  • config.json — client ID, domain, redirect URI

Environment variables (in .env):

  • REVOLUT_CLIENT_ID — from Revolut API settings
  • REVOLUT_ISS_DOMAIN — your redirect URI domain (without https://)

Commands

Accounts & Balances

python3 {baseDir}/scripts/revolut.py accounts          # List all accounts with balances
python3 {baseDir}/scripts/revolut.py balance            # Total EUR balance
python3 {baseDir}/scripts/revolut.py accounts --json    # JSON output

Transactions

python3 {baseDir}/scripts/revolut.py transactions                    # Last 20
python3 {baseDir}/scripts/revolut.py tx -n 50                       # Last 50
python3 {baseDir}/scripts/revolut.py tx --since 2026-01-01           # Since date
python3 {baseDir}/scripts/revolut.py tx --since 2026-01-01 --to 2026-01-31
python3 {baseDir}/scripts/revolut.py tx -a Main                     # Filter by account
python3 {baseDir}/scripts/revolut.py tx --type card_payment          # Filter by type
python3 {baseDir}/scripts/revolut.py tx --json                      # JSON output

Transaction types: card_payment, transfer, exchange, topup, atm, fee, refund

Counterparties

python3 {baseDir}/scripts/revolut.py counterparties     # List all
python3 {baseDir}/scripts/revolut.py cp --name "Lisa"   # Search by name
python3 {baseDir}/scripts/revolut.py cp --json

Payments

# Send payment (with confirmation prompt)
python3 {baseDir}/scripts/revolut.py pay -c "Lisa Dreischer" --amount 50.00 --currency EUR -r "Lunch"

# Create draft (no immediate send)
python3 {baseDir}/scripts/revolut.py pay -c "Lisa Dreischer" --amount 50.00 --draft -r "Lunch"

# Skip confirmation
python3 {baseDir}/scripts/revolut.py pay -c "Lisa Dreischer" --amount 50.00 -y

Currency Exchange

python3 {baseDir}/scripts/revolut.py exchange --amount 100 --sell EUR --buy USD
python3 {baseDir}/scripts/revolut.py fx --amount 500 --sell EUR --buy GBP

Internal Transfers

python3 {baseDir}/scripts/revolut.py transfer --from-account <ID> --to-account <ID> --amount 100

Export (CSV)

python3 {baseDir}/scripts/revolut.py export                           # Print CSV to stdout
python3 {baseDir}/scripts/revolut.py export -n 200 -o transactions.csv  # Save to file
python3 {baseDir}/scripts/revolut.py export --since 2026-01-01 -o jan.csv

Token Status

python3 {baseDir}/scripts/revolut.py token-info

Token Auto-Refresh

  • Access tokens expire after ~40 minutes
  • Automatically refreshed using the refresh token before API calls
  • No manual intervention needed after initial auth

Security Notes

  • Private key and tokens are stored in ~/.clawdbot/revolut/ — treat as sensitive
  • Payments require explicit confirmation (use --yes to skip)
  • --draft creates payment drafts that need approval in Revolut app
  • Never share your private key, tokens, or client assertion JWT

Comments

Loading comments...