YNAB (You Need A Budget) budget management via API. Add transactions, track goals, monitor spending, create transfers, and generate budget reports. Use this...
Security Analysis
high confidenceThe skill appears to do what it says (YNAB API reporting and transaction helpers) and only needs YNAB credentials and local config; the main issues are metadata inconsistencies and a somewhat broad invocation rule in SKILL.md that you should be aware of.
Functionality (scripts that call api.ynab.com using curl/jq) matches the YNAB budget-management purpose. However there are metadata mismatches: SKILL.md declares requiredEnv (YNAB_API_KEY, YNAB_BUDGET_ID) and mentions curl/jq, while the registry metadata at the top lists no required env vars and no required binaries. _meta.json also contains a GitHub homepage/source although top-level 'Source: unknown / Homepage: none' claims otherwise. These inconsistencies are likely administrative but should be reconciled before trusting provenance.
Runtime instructions and all scripts are focused on YNAB API operations (transactions, transfers, scheduled items, reports). The SKILL.md guidance to 'use this skill whenever the user mentions ... personal finances — even if they just say "add an expense"' is broad: it may cause the agent to invoke the skill for general finance queries where the user didn't intend YNAB integration. Scripts read only the declared config (~/.config/ynab/config.json) or env vars; they don't probe other system files.
No install spec or third-party download is present; the package is a set of bash scripts and docs. This is low risk from an installation-execution perspective. Scripts require standard tools (curl, jq, date, bc) but no installers are fetched from arbitrary URLs.
The only sensitive items the skill uses are the YNAB API key and Budget ID (and optionally YNAB_MONTHLY_TARGET in config). That is proportionate to the stated functionality. Note the registry metadata omission of these required env vars (SKILL.md marks them required) — confirm the platform will provide these securely. Scripts expect config at ~/.config/ynab/config.json if env vars not set.
The skill does not request always:true, does not modify other skills or system-wide settings, and only reads/writes its own config file location. Agent autonomous invocation is allowed (platform default) — SKILL.md's broad 'use whenever' rule could increase frequency of autonomous use, but this is not a privilege escalation.
Guidance
This skill's code is coherent and appears to only call the official YNAB API; it legitimately needs your YNAB API token and budget ID and will read a local config file (~/.config/ynab/config.json) if env vars are not set. Before installing: (1) Confirm where the skill was published (registry top-level data inconsistently shows no homepage/source while _meta.json points to a GitHub repo); prefer installing only from a trusted source. (2) Provide only the YNAB API key and budget ID — do not supply unrelated credentials. (3) Store the config file with restrictive permissions (chmod 600) or use environment variables, and rotate the token if you stop using the skill. (4) Be aware SKILL.md asks the agent to invoke this skill for any budget/expense-related phrasing (even when YNAB isn't explicitly mentioned) — if you want tighter control, adjust the agent's invocation rules or remove the 'use whenever' guidance. (5) Review the scripts yourself (they're simple bash) and verify you have jq/curl installed. If you want higher assurance, ask the publisher for the canonical GitHub URL and verify the commit history and ownership before trusting sensitive tokens.
Latest Release
v2.3.0
Add daily spending report with budget pacing analysis
Popular Skills
Published by @f-liva on ClawHub
