Trust Assessment
revolut received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 10 findings: 2 critical, 3 high, 2 medium, and 2 low severity. Key findings include Arbitrary command execution, Suspicious import: urllib.request, Dangerous call: subprocess.run().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings10
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/christianhaberl/revolut-business/scripts/setup.py:47 | |
| CRITICAL | User input directly used in subprocess.run(shell=True) The `scripts/setup.py` script takes user input for 'Organization name', 'Country code', and 'Common name' during certificate generation. These inputs are then directly interpolated into an `openssl req` command executed with `subprocess.run(shell=True)`. This allows an attacker to inject arbitrary shell commands by providing malicious input (e.g., `'; rm -rf /'`) when prompted for these values, leading to arbitrary code execution on the host system. Avoid `shell=True` when executing external commands with user-provided input. Instead, pass commands and arguments as a list to `subprocess.run()` (e.g., `subprocess.run(['openssl', 'req', ...])`). If `shell=True` is strictly necessary, ensure all user inputs are properly sanitized and escaped for the shell context before interpolation. | LLM | scripts/setup.py:113 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'run'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/christianhaberl/revolut-business/scripts/setup.py:47 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/christianhaberl/revolut-business/SKILL.md:22 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/christianhaberl/revolut-business/SKILL.md:102 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/christianhaberl/revolut-business/scripts/revolut.py:19 | |
| MEDIUM | Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/christianhaberl/revolut-business/scripts/setup.py:231 | |
| LOW | Dependencies installed without version pinning The `SKILL.md` instructs users to install `PyJWT` and `cryptography` using `pip install PyJWT cryptography`. Without specific version pinning (e.g., `PyJWT==2.0.0`), this can lead to non-deterministic builds and potential supply chain vulnerabilities if a new version of a dependency introduces a breaking change or a security flaw. An attacker could potentially introduce malicious code into a new version of an unpinned dependency. Specify exact versions for all dependencies in a `requirements.txt` file (e.g., `PyJWT==2.8.0`, `cryptography==41.0.7`) and instruct users to install with `pip install -r requirements.txt`. Regularly update and review these pinned versions. | LLM | SKILL.md:20 | |
| LOW | Skill attempts to load environment variables from `.env` files The `scripts/revolut.py` script includes a `load_env()` function that searches for and parses `.env` files in common locations (`~/clawd/.env`, `../../.env`). While it specifically looks for `REVOLUT_CLIENT_ID` and `REVOLUT_ISS_DOMAIN`, the general practice of searching for and parsing `.env` files from potentially arbitrary locations could lead to unintended exposure or processing of other sensitive environment variables if the parsing logic were less strict or if the skill's scope expanded. This pattern could be a vector for data exfiltration if a malicious `.env` file were present or if the skill were to inadvertently process other sensitive variables. If possible, rely solely on environment variables explicitly passed to the skill or a dedicated configuration file within the skill's own directory. If `.env` loading is required, ensure the search paths are strictly controlled and the parsing is robust against unexpected content, and only extract variables explicitly needed by the skill. | LLM | scripts/revolut.py:30 | |
| INFO | Sensitive API credentials stored on local filesystem The skill stores Revolut API private keys (`private.pem`), certificates (`certificate.pem`), OAuth tokens (`tokens.json`), and configuration (`config.json`) in the user's home directory under `~/.clawdbot/revolut/`. While this is necessary for the skill's operation and explicitly documented, it highlights a critical area for security. Unauthorized access to this directory would compromise the user's Revolut Business API access, potentially leading to financial fraud or data breaches. Ensure the `~/.clawdbot/revolut/` directory and its contents have appropriate filesystem permissions (e.g., `chmod 600` for files, `chmod 700` for directories) to restrict access to the owner only. Educate users about the sensitivity of these files and the importance of securing their local environment. | LLM | SKILL.md:24 |
Scan History
Embed Code
[](https://skillshield.io/report/2e889231e215d0a7)
Powered by SkillShield