Ynab Api
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real YNAB helper, but it can change financial budget records and includes guidance to approve matching pending transactions without a clear confirmation step.
Install only if you are comfortable giving the agent access to your YNAB budget. Before allowing it to create, approve, or transfer transactions, verify the exact account, payee, date, amount, and category. Keep the YNAB token/config private, and be careful with scheduled reports because they can repeatedly expose financial data.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
For ambiguous finance requests, the agent may involve the user's YNAB budget and token sooner than expected.
The invocation scope is broad for a financial-account skill, so an ambiguous expense or budget request could cause the agent to use YNAB even when the user did not explicitly name it.
Use this skill whenever the user mentions YNAB, budget tracking, spending analysis... or wants to manage their personal finances -- even if they just say 'add an expense'
Confirm that the user wants the action performed in YNAB when the request is ambiguous or could refer to another finance tool.
The agent could approve the wrong pending transaction or change budget records when the user expected only a new entry or a report.
This directs the agent to create approved transactions and to approve an existing pending transaction based on a weak match condition, without an explicit user confirmation step.
Before creating a new transaction, check if an unapproved one already exists for the same amount. If found, approve it instead... Body: {"transaction": {... "approved": true}}Require explicit confirmation before creating, approving, or transferring transactions, and only approve pending transactions after matching payee, date, account, and amount.
Anyone or any process with access to the token/config can access the configured YNAB budget through the API.
The skill requires a YNAB API token and budget ID to read and modify the user's budget; this is expected for the stated purpose but is sensitive account authority.
Set environment variables `YNAB_API_KEY` and `YNAB_BUDGET_ID`, or create `~/.config/ynab/config.json`: { "api_key": "YOUR_YNAB_TOKEN"Store the config securely, avoid committing it to repositories, and revoke or rotate the YNAB token if it may have been exposed.
The install UI may not warn users about required tools or credentials, and some scripts may fail until dependencies are installed.
The registry metadata does not fully reflect the artifacts' requirements: the docs/scripts require curl, jq, a YNAB token/config, and transfer.sh also uses bc.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Update the skill metadata to declare the YNAB credential/config requirements and local command dependencies.
Budget details, spending patterns, payees, and category information may appear in chat context, terminal output, or logs.
Financial metrics and transaction-derived summaries are intentionally placed into the agent's context so it can summarize them for the user.
When running `daily-spending-report.sh`, the script outputs an "ANALYSIS DATA" section with raw metrics. Reinterpret this data in your own voice
Use this only in trusted workspaces and avoid sharing generated reports or logs that contain personal financial data.
If the user schedules the scripts, they will repeatedly access YNAB financial data using the stored token.
The skill does not install persistence itself, but it documents scheduled execution for recurring financial reports.
All scripts output to stdout and can be scheduled with any cron/scheduler.
Only schedule scripts intentionally, review where their output is sent, and remove scheduled jobs when no longer needed.