← 返回 Skills 市场
Ynab Api
作者
Federico Liva
· GitHub ↗
· v2.4.0
· MIT-0
628
总下载
0
收藏
2
当前安装
7
版本数
在 OpenClaw 中安装
/install ynab-api
功能描述
YNAB (You Need A Budget) budget management via API. Add transactions, track goals, monitor spending, create transfers, and generate budget reports. Use this...
安全使用建议
This package looks like a real YNAB integration (scripts call only the official YNAB API), but review these before installing: 1) Credentials: the scripts require YNAB_API_KEY and YNAB_BUDGET_ID (or ~/.config/ynab/config.json) — the registry metadata omits these; don't install unless you accept providing and protecting that API key. 2) Invocation policy: SKILL.md tells the agent to invoke this skill for any budget/expense mention (even if YNAB wasn't named). If you don't want the agent to access your YNAB automatically for generic finance chat, disable autonomous invocation or adjust the skill selection policy. 3) Behavior guidance: the skill tells the agent to retry silently and avoid declaring an expired token on the first 401 — consider whether you want the agent to delay informing you about credential problems. 4) Review the scripts locally: they are plain bash using curl/jq and only call api.ynab.com; check file permissions for ~/.config/ynab/config.json (set to 600) and do not commit it to VCS. 5) Ask the publisher to fix the registry metadata to explicitly list required env vars and to clarify the auto-invocation behavior. If you want me to, I can extract the exact lines that mention auto-invoke behavior and the 'do not declare expired key' guidance, or produce a minimal checklist for safe local testing.
功能分析
Type: OpenClaw Skill
Name: ynab-api
Version: 2.4.0
The ynab-api skill bundle provides a legitimate set of bash scripts for managing personal finances via the YNAB API. The scripts (such as daily-spending-report.sh and transfer.sh) use curl and jq to interact with the official YNAB endpoint (api.ynab.com) and handle sensitive environment variables (YNAB_API_KEY) appropriately. While SKILL.md and skill.toml contain specific instructions (some in Italian) directing the AI agent to retry silently on 401/429 errors and avoid immediately alerting the user to expired tokens, these are presented as technical workarounds for API rate-limiting behavior rather than malicious prompt injections. No evidence of data exfiltration, obfuscation, or unauthorized execution was found.
能力标签
能力评估
Purpose & Capability
The scripts and SKILL.md clearly implement YNAB operations and legitimately need a YNAB API key and budget id (curl + jq). That matches the described purpose. However, the registry metadata at the top of the package lists no required environment variables / primary credential while SKILL.md and every script require YNAB_API_KEY and YNAB_BUDGET_ID (and optionally YNAB_MONTHLY_TARGET). This mismatch between declared registry requirements and the runtime files is an incoherence that should be resolved (the skill will fail unless credentials are supplied).
Instruction Scope
The runtime instructions are explicit and largely scoped to YNAB API calls and local config. However two items are concerning: (1) SKILL.md tells the agent to use this skill whenever the user mentions budget/expense requests — even when YNAB is not named — which can cause the skill to be invoked for generic finance questions without explicit user consent (privacy risk). (2) The guidance instructs the agent not to tell the user that an API key is expired on the first 401 and to retry silently; this gives the agent discretion to withhold status about credentials and could confuse users if their token is actually invalid. Functionally the scripts only access the local config and YNAB API endpoints (no other remote endpoints), but the invocation policy and the 'do not declare expired key' guidance are scope-creep/behavioral concerns.
Install Mechanism
There is no install spec (instruction-only runtime) and no remote download — lower risk. However the package contains multiple executable bash scripts (they will be written to disk when the skill is installed or unpacked). No external installers or network-based installs are present, and scripts call only the YNAB API. This is generally low-risk but worth noting because code will exist in the environment.
Credentials
The secrets requested by the scripts (YNAB_API_KEY, YNAB_BUDGET_ID) are appropriate and proportional for a YNAB integration. The skill also reads a config file at ~/.config/ynab/config.json which is expected. The incoherence is that the top-level registry metadata omitted these required env vars whereas SKILL.md.metadata explicitly lists them — the mismatch should be fixed in the registry entry so users know what credentials are required.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent platform-wide privileges. It does not modify other skills or system configs. Autonomous invocation is allowed by default (user-invocable: true, disable-model-invocation: false) — combine this with the instruction to auto-invoke on any budget-related utterance and you get the earlier privacy/usefulness concern, but the skill itself does not request undue platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ynab-api - 安装完成后,直接呼叫该 Skill 的名称或使用
/ynab-api触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.4.0
**Improved error handling, retry logic, and API guidance.**
- Added robust guidance on handling API errors (especially 401/429), recommending silent retries before alerting the user.
- Clarified that 401 errors are often caused by temporary rate limits, not always expired tokens.
- Updated monthly spending calculation to explicitly exclude internal transfers.
- Included new agent instructions for retries and not assuming API key expiration on first error.
- Added/updated configuration and metadata files (prompt_context.md, skill.toml).
v2.3.0
Add daily spending report with budget pacing analysis
v2.2.0
Platform-agnostic rewrite: removed all openclaw/WhatsApp/hardcoded path references. Scripts use env vars or ~/.config/ynab/config.json only. SKILL.md reduced from 591 to 89 lines with progressive disclosure. Declared requiredEnv. Added homepage/source.
v2.1.1
Critical bugfix: added error handling and retry logic to daily-budget-check.sh to prevent cron job failures on temporary API errors
v2.1.0
Added one-command automation setup script - creates all recommended cron jobs interactively with dry-run mode
v2.0.0
Major update: Complete automation suite with goal tracking, scheduled transactions, month comparison, daily budget check, and fixed transfer support
v1.0.0
Initial release of the ynab-api skill with best-practice guides for using the YNAB API.
- Covers core workflows for adding and categorizing transactions, preventing duplicates, handling splits, and calculating expenses.
- Provides ready-to-use API command examples for common operations.
- Includes recommendations for secure configuration and environment variable setup.
- Explains handling special transaction types (splits, transfers) and category exclusions for accurate reporting.
- Outlines troubleshooting tips and common API mistakes.
元数据
常见问题
Ynab Api 是什么?
YNAB (You Need A Budget) budget management via API. Add transactions, track goals, monitor spending, create transfers, and generate budget reports. Use this... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 628 次。
如何安装 Ynab Api?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ynab-api」即可一键安装,无需额外配置。
Ynab Api 是免费的吗?
是的,Ynab Api 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Ynab Api 支持哪些平台?
Ynab Api 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Ynab Api?
由 Federico Liva(@f-liva)开发并维护,当前版本 v2.4.0。
推荐 Skills