ezBookkeeping API Tools
AdvisoryAudited by Static analysis on May 11, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could add or alter bookkeeping structures if it invokes the wrong command or acts on an ambiguous request.
The script exposes POST commands that can mutate bookkeeping account/category data. These are sensitive financial-record operations and the SKILL.md usage does not describe confirmation, scoping, or rollback expectations.
"Name": "accounts-add", ... "Method": "POST", "Path": "accounts/add.json" ... "Name": "transaction-categories-add", ... "Method": "POST", "Path": "transaction/categories/add.json"
Use this only with explicit user approval for any write operation, and prefer read-only or least-privilege API tokens if ezBookkeeping supports them.
The skill could enumerate active sessions and revoke tokens, potentially logging out other clients or disrupting account access.
The script includes session/token listing and revocation capabilities. That account-management authority is not clearly called out in the skill's high-level description.
"Name": "tokens-list", "Description": "Retrieve all sessions for the current user" ... "Name": "tokens-revoke", "Description": "Revoke a specified token", "Method": "POST", "Path": "tokens/revoke.json"
Only provide a token you are comfortable using for session-management actions, and require explicit confirmation before any token revocation.
Anyone or any agent process with access to this token may be able to read or modify ezBookkeeping data according to the token's privileges.
The required API token is purpose-aligned for calling ezBookkeeping, but it is still a sensitive credential that grants account/API access.
`EBKTOOL_SERVER_BASEURL` | Required | ezBookkeeping server base URL ... `EBKTOOL_TOKEN` | Required | ezBookkeeping API token
Store the token securely, rotate it if exposed, and use the narrowest possible permissions.
Users have less external context for deciding whether to trust the included scripts with their bookkeeping credentials.
The skill's provenance is not well documented, which matters more because it handles a personal finance API token.
Source: unknown; Homepage: none
Review the included scripts and install only from a publisher/source you trust.