QBO Automation
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: qbo-automation Version: 98.0.1 The qbo-automation skill provides legitimate documentation and Python code snippets for automating QuickBooks Online accounting tasks such as chart of accounts setup, bank rules, and journal entries. It correctly uses official Intuit API endpoints (quickbooks.api.intuit.com) and standard OAuth2 flows for authentication using environment variables, with no evidence of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may give the agent enough authority to access and change company accounting data in QuickBooks.
The skill asks for privileged access and long-lived QBO credentials for a company accounting system, while the supplied registry requirements declare no env vars or primary credential.
- QBO account with admin or accountant access - QBO API credentials (Client ID, Client Secret, Refresh Token) stored in environment: - `QBO_CLIENT_ID` - `QBO_CLIENT_SECRET` - `QBO_REFRESH_TOKEN` - `QBO_REALM_ID`
Use least-privilege QBO credentials where possible, confirm the company/realm before use, avoid storing tokens broadly, and require explicit approval before any write operation.
A mistaken or overbroad agent action could alter the chart of accounts in a real QuickBooks company file.
The example performs a live POST to the QBO account endpoint and creates an account, which is a financial-record mutation; the artifact does not specify approval, dry-run, or rollback controls.
resp = requests.post(
f"https://quickbooks.api.intuit.com/v3/company/{realm_id}/account",
...
# Example: Create a new expense account
token = get_access_token()
realm = os.environ["QBO_REALM_ID"]
result = create_account(token, realm,Require user confirmation for every QBO write, test in a sandbox company first, log intended changes before execution, and document rollback steps.
An incorrect rule could miscategorize many transactions, affecting reconciliation, reporting, and accounting accuracy.
Running a bank rule against unreviewed transactions can apply categorization changes across many imported transactions; the instruction does not include preview, sampling, or containment guidance.
3. Save and run rule against unreviewed transactions
Preview affected transactions, run rules on a small sample first, keep a change log, and have an accountant review bulk categorization changes.