Fundraise Up
v1.0.1Interact with FundraiseUp REST API to manage donations, recurring plans, supporters, campaigns, and donor portal access. Process online and offline donations, retrieve fundraising analytics, and integrate with nonprofit CRM systems.
⭐ 3· 1.7k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly documents FundraiseUp REST API operations (donations, recurring plans, supporters, analytics) which align with the declared purpose. However, the runtime instructions require an API key (FUNDRAISEUP_API_KEY) and describe payment/Stripe prerequisites, yet the registry metadata reports no required environment variables or primary credential. That metadata–instruction mismatch is inconsistent and could lead to silent failure or unexpected secret handling.
Instruction Scope
The SKILL.md stays on-topic: it documents endpoints, headers, rate limits, example requests, and prerequisites (Stripe payment method IDs, PCI notes). It does not instruct the agent to read unrelated files, traverse system paths, or exfiltrate data to unexpected endpoints. Examples require inclusion of an Authorization Bearer token and recommend secure handling of keys.
Install Mechanism
No install spec and no code files — the skill is instruction-only. That minimizes install-time risk because nothing is downloaded or written to disk by the skill package itself.
Credentials
SKILL.md explicitly requires FUNDRAISEUP_API_KEY (and references Stripe payment method IDs for creating donations), but registry metadata lists 'Required env vars: none' and 'Primary credential: none'. Requesting an API key for the service is proportionate to the purpose, but the absence of that declaration in the published metadata is a mismatch and a governance risk. Also note the skill deals with payments/tokenized payment methods and references PCI considerations — users must ensure no raw card data is provided and that tokens/keys are scoped appropriately.
Persistence & Privilege
The skill does not request 'always: true', does not include install hooks, and has no declared config paths. It is user-invocable and allows autonomous invocation (platform default), which is expected. Nothing in the package requests elevated or persistent system privileges.
What to consider before installing
This skill generally looks like a normal FundraiseUp API client, but there are two things to verify before installing: (1) SKILL.md requires an API key named FUNDRAISEUP_API_KEY, yet the registry metadata does not declare any required credentials — ask the publisher to correct the metadata so you know what secrets are needed and why; (2) the publisher/source is unknown and there is no homepage — prefer skills from known, verifiable authors. Practical steps: do not provide a live/production API key until you verify the publisher and the declared env vars; use a test-scoped API key with minimal permissions first; confirm the key scope (read vs create donations) and audit logs on your FundraiseUp account; ensure you never submit raw card details — use tokenized Stripe payment_method_id tokens as described; request that the maintainer publish source or homepage and update registry metadata to include FUNDRAISEUP_API_KEY in requires.env. If the author cannot justify the missing metadata or provenance, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk979ftqwwct8gafytj8088bn0580f08j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.