ezBookkeeping API Tools
ReviewAudited by ClawScan on May 11, 2026.
Overview
This looks like an ezBookkeeping API wrapper, but it can use a finance API token to change bookkeeping data and manage/revoke sessions beyond what the top-level description clearly explains.
Install only if you trust this publisher and want an agent to access your ezBookkeeping account. Use a least-privilege token if possible, avoid leaving the token in an unprotected home-directory .env file, and require explicit confirmation before any command that adds data, changes account/category structure, or revokes tokens.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could add or alter bookkeeping structures if it invokes the wrong command or acts on an ambiguous request.
The script exposes POST commands that can mutate bookkeeping account/category data. These are sensitive financial-record operations and the SKILL.md usage does not describe confirmation, scoping, or rollback expectations.
"Name": "accounts-add", ... "Method": "POST", "Path": "accounts/add.json" ... "Name": "transaction-categories-add", ... "Method": "POST", "Path": "transaction/categories/add.json"
Use this only with explicit user approval for any write operation, and prefer read-only or least-privilege API tokens if ezBookkeeping supports them.
The skill could enumerate active sessions and revoke tokens, potentially logging out other clients or disrupting account access.
The script includes session/token listing and revocation capabilities. That account-management authority is not clearly called out in the skill's high-level description.
"Name": "tokens-list", "Description": "Retrieve all sessions for the current user" ... "Name": "tokens-revoke", "Description": "Revoke a specified token", "Method": "POST", "Path": "tokens/revoke.json"
Only provide a token you are comfortable using for session-management actions, and require explicit confirmation before any token revocation.
Anyone or any agent process with access to this token may be able to read or modify ezBookkeeping data according to the token's privileges.
The required API token is purpose-aligned for calling ezBookkeeping, but it is still a sensitive credential that grants account/API access.
`EBKTOOL_SERVER_BASEURL` | Required | ezBookkeeping server base URL ... `EBKTOOL_TOKEN` | Required | ezBookkeeping API token
Store the token securely, rotate it if exposed, and use the narrowest possible permissions.
Users have less external context for deciding whether to trust the included scripts with their bookkeeping credentials.
The skill's provenance is not well documented, which matters more because it handles a personal finance API token.
Source: unknown; Homepage: none
Review the included scripts and install only from a publisher/source you trust.