revolut
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill stores sensitive credentials and cryptographic material in the user's home directory (
~/.thinkfleet/revolut/). - Evidence: The documentation explicitly lists the storage of
private.pem(RSA private key),tokens.json(OAuth tokens), andconfig.jsoncontaining client identifiers. While these are vendor-specific resources, they represent a significant concentration of sensitive authentication data on the local filesystem. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection due to its combination of data ingestion and financial capabilities.
- Ingestion points: Data enters the agent's context through transaction history retrieval (
revolut.py transactions) and counterparty searches (revolut.py counterparties), which can contain attacker-controlled strings such as payment references or name fields. - Boundary markers: There are no documented delimiters or instructions to the LLM to ignore embedded commands within the fetched transaction or counterparty data.
- Capability inventory: The skill provides commands for sensitive operations including payments (
revolut.py pay), internal transfers (revolut.py transfer), and currency exchanges (revolut.py exchange). - Sanitization: The documentation does not indicate any sanitization or validation of external strings before they are presented to the agent, creating a risk that malicious data could influence the agent's subsequent financial actions.
- [COMMAND_EXECUTION]: The skill operates by executing local Python scripts to interact with the Revolut API and manage local setup.
- Evidence: The entry point and commands utilize
python3 {baseDir}/scripts/revolut.pyandpython3 {baseDir}/scripts/setup.pyto perform all functions.
Audit Metadata