Manage YNAB budgets, accounts, categories, and transactions.
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses these commands incorrectly, it could alter or delete YNAB budget and transaction records.
The skill documents direct mutation and deletion of financial budget records plus a raw API escape hatch, without accompanying safeguards such as explicit confirmation, scope limits, or rollback guidance.
ynab transactions update <id> --amount <amount>
ynab transactions delete <id>
ynab scheduled delete <id>
ynab api POST /budgets/{budget_id}/transactions --data '{"transaction": {...}}'Use this skill only with explicit user-confirmed instructions for any create, update, delete, split, or raw API operation. Prefer read-only commands by default and require confirmation of budget/account IDs, amounts, dates, and transaction IDs before mutation.
The agent can access YNAB data available to the provided API key or CLI login.
The skill requires YNAB account credentials/API access. This is purpose-aligned, but it gives the agent delegated access to private financial budgeting data.
# Get API key from https://app.ynab.com/settings/developer # Then set YNAB_API_KEY env var, or: ynab auth login
Use a revocable YNAB API key, keep it out of shared logs or prompts, and remove or rotate it when the skill is no longer needed.
You must trust the npm package that handles your YNAB API key and budget data.
The skill depends on installing a third-party npm CLI. This is expected for the stated CLI purpose, but the package code was not included in the reviewed artifact set.
node | package: @stephendolan/ynab-cli | creates binaries: ynab
Verify the npm package source and publisher before installing, and consider pinning a known-good version.