Fundraise Up
WarnAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is coherent for FundraiseUp, but it needs review because it can use a FundraiseUp API key to read donor data and create real or recurring donations without explicit safety guardrails.
Install only if you intend to let the agent work with FundraiseUp account data. Start with a test-mode or read-only API key, verify the instructions against official FundraiseUp docs, and require explicit approval before any action that creates donations, recurring plans, donor portal links, or other account changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a live key and payment method, the agent could create actual donations or recurring plans in the FundraiseUp account.
The skill documents a workflow that can create real financial transactions and recurring plans through the API, but the visible instructions do not require explicit user confirmation or test-mode use before mutation.
#### Create Donation **Endpoint:** `POST /donations` **Description:** Create a one-time or recurring donation... **Prerequisites:** ... API key with "create new donations" permission
Use test keys by default, require explicit user approval before any POST/PUT/PATCH/DELETE or recurring-plan action, and keep the API key read-only unless donation creation is required.
A key with these permissions can expose donor records and perform privileged account actions if mishandled or over-scoped.
The skill requires a powerful FundraiseUp bearer token with data access and account-mutation permissions; this is not reflected in the registry metadata, which lists no required env vars or primary credential.
Required environment variables: ```FUNDRAISEUP_API_KEY ```- API Key ... Select permissions: Retrieve donation data; Create new donations; Generate Donor Portal access links
Declare the credential requirement in metadata, create a least-privileged key, prefer test-mode keys for setup, and rotate any key that has been shared too broadly.
Donor and payment-related records may be visible in prompts, responses, logs, or downstream workflows unless the user limits what is retrieved.
Donation and supporter retrieval is purpose-aligned, but it can place sensitive donor PII, addresses, custom fields, and transaction information into the agent context.
**Description:** Retrieve all donations ... **Response Fields:** ... `supporter`: Supporter information ... `mailing_address` ... `custom_fields`
Query only the records needed, avoid broad exports, redact unnecessary PII, and follow nonprofit privacy and data-retention requirements.
Users have less assurance that the instructions match official FundraiseUp API guidance.
There is no code install risk, but the skill’s provenance is not verifiable from the supplied registry metadata, which matters for a finance-related API integration.
Source: unknown Homepage: none
Verify endpoint behavior and permission requirements against official FundraiseUp documentation before using a live API key.