ezBookkeeping API Tools
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ezbookkeeping Version: 1.4.0 The ezbookkeeping skill bundle provides a legitimate command-line interface for interacting with the ezBookkeeping personal finance API. The included scripts (ebktools.sh and ebktools.ps1) are well-structured wrappers for curl and Invoke-WebRequest, featuring robust input validation and response formatting. They securely handle authentication by reading specific environment variables (EBKTOOL_SERVER_BASEURL and EBKTOOL_TOKEN) from the environment or local .env files. No indicators of data exfiltration, malicious execution, or prompt injection were found; the code logic is entirely consistent with the stated purpose of managing personal finance data on a user-specified self-hosted server.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could add or alter bookkeeping structures if it invokes the wrong command or acts on an ambiguous request.
The script exposes POST commands that can mutate bookkeeping account/category data. These are sensitive financial-record operations and the SKILL.md usage does not describe confirmation, scoping, or rollback expectations.
"Name": "accounts-add", ... "Method": "POST", "Path": "accounts/add.json" ... "Name": "transaction-categories-add", ... "Method": "POST", "Path": "transaction/categories/add.json"
Use this only with explicit user approval for any write operation, and prefer read-only or least-privilege API tokens if ezBookkeeping supports them.
The skill could enumerate active sessions and revoke tokens, potentially logging out other clients or disrupting account access.
The script includes session/token listing and revocation capabilities. That account-management authority is not clearly called out in the skill's high-level description.
"Name": "tokens-list", "Description": "Retrieve all sessions for the current user" ... "Name": "tokens-revoke", "Description": "Revoke a specified token", "Method": "POST", "Path": "tokens/revoke.json"
Only provide a token you are comfortable using for session-management actions, and require explicit confirmation before any token revocation.
Anyone or any agent process with access to this token may be able to read or modify ezBookkeeping data according to the token's privileges.
The required API token is purpose-aligned for calling ezBookkeeping, but it is still a sensitive credential that grants account/API access.
`EBKTOOL_SERVER_BASEURL` | Required | ezBookkeeping server base URL ... `EBKTOOL_TOKEN` | Required | ezBookkeeping API token
Store the token securely, rotate it if exposed, and use the narrowest possible permissions.
Users have less external context for deciding whether to trust the included scripts with their bookkeeping credentials.
The skill's provenance is not well documented, which matters more because it handles a personal finance API token.
Source: unknown; Homepage: none
Review the included scripts and install only from a publisher/source you trust.