QBO Automation
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This QuickBooks skill is coherent for accounting automation, but it asks for powerful QBO credentials and gives direct financial-record mutation workflows without clear guardrails or declared credential requirements.
Review carefully before installing. This skill is for real accounting automation and may change QuickBooks company data. Only use it with a trusted QBO account, require explicit approval before writes, test in a sandbox, and involve an accountant for bulk rules, journal entries, or chart-of-accounts changes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may give the agent enough authority to access and change company accounting data in QuickBooks.
The skill asks for privileged access and long-lived QBO credentials for a company accounting system, while the supplied registry requirements declare no env vars or primary credential.
- QBO account with admin or accountant access - QBO API credentials (Client ID, Client Secret, Refresh Token) stored in environment: - `QBO_CLIENT_ID` - `QBO_CLIENT_SECRET` - `QBO_REFRESH_TOKEN` - `QBO_REALM_ID`
Use least-privilege QBO credentials where possible, confirm the company/realm before use, avoid storing tokens broadly, and require explicit approval before any write operation.
A mistaken or overbroad agent action could alter the chart of accounts in a real QuickBooks company file.
The example performs a live POST to the QBO account endpoint and creates an account, which is a financial-record mutation; the artifact does not specify approval, dry-run, or rollback controls.
resp = requests.post(
f"https://quickbooks.api.intuit.com/v3/company/{realm_id}/account",
...
# Example: Create a new expense account
token = get_access_token()
realm = os.environ["QBO_REALM_ID"]
result = create_account(token, realm,Require user confirmation for every QBO write, test in a sandbox company first, log intended changes before execution, and document rollback steps.
An incorrect rule could miscategorize many transactions, affecting reconciliation, reporting, and accounting accuracy.
Running a bank rule against unreviewed transactions can apply categorization changes across many imported transactions; the instruction does not include preview, sampling, or containment guidance.
3. Save and run rule against unreviewed transactions
Preview affected transactions, run rules on a small sample first, keep a change log, and have an accountant review bulk categorization changes.