Manage YNAB budgets, accounts, categories, and transactions.
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: ynab Version: 1.0.0 The skill bundle is benign. It provides instructions and examples for using the `ynab-cli` tool to manage YNAB budgets, accounts, and transactions. The `SKILL.md` file clearly defines the skill's purpose, required environment variables (`YNAB_API_KEY`), and installation steps (`npm i -g @stephendolan/ynab-cli`). All commands demonstrated are standard operations for a financial management CLI and show no evidence of data exfiltration, malicious execution, persistence, obfuscation, or prompt injection attempts against the AI agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses these commands incorrectly, it could alter or delete YNAB budget and transaction records.
The skill documents direct mutation and deletion of financial budget records plus a raw API escape hatch, without accompanying safeguards such as explicit confirmation, scope limits, or rollback guidance.
ynab transactions update <id> --amount <amount>
ynab transactions delete <id>
ynab scheduled delete <id>
ynab api POST /budgets/{budget_id}/transactions --data '{"transaction": {...}}'Use this skill only with explicit user-confirmed instructions for any create, update, delete, split, or raw API operation. Prefer read-only commands by default and require confirmation of budget/account IDs, amounts, dates, and transaction IDs before mutation.
The agent can access YNAB data available to the provided API key or CLI login.
The skill requires YNAB account credentials/API access. This is purpose-aligned, but it gives the agent delegated access to private financial budgeting data.
# Get API key from https://app.ynab.com/settings/developer # Then set YNAB_API_KEY env var, or: ynab auth login
Use a revocable YNAB API key, keep it out of shared logs or prompts, and remove or rotate it when the skill is no longer needed.
You must trust the npm package that handles your YNAB API key and budget data.
The skill depends on installing a third-party npm CLI. This is expected for the stated CLI purpose, but the package code was not included in the reviewed artifact set.
node | package: @stephendolan/ynab-cli | creates binaries: ynab
Verify the npm package source and publisher before installing, and consider pinning a known-good version.