ClawHub
Back to skill
v1.0.1

Fundraise Up

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:19 AM.

Analysis

The skill is coherent with FundraiseUp, but it can use a live fundraising API key to read donor data and create donations or recurring plans, so it needs careful review before installation.

GuidanceInstall only if you intentionally want the agent to operate FundraiseUp on your behalf. Use a test or least-privileged API key, require confirmation for all donation creation, recurring-plan creation, and donor portal link generation, and be careful with donor personal information and live payment methods.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
#### Create Donation
**Endpoint:** `POST /donations`

**Description:** Create a one-time or recurring donation ... `payment_method_id` ... `recurring_plan`

This shows the skill instructs the agent how to perform a live financial mutation, including use of a payment method and optional recurring plan, via a raw API call.

User impactIf used with a live API key and payment method, the agent could create charges or recurring donation plans in the FundraiseUp account.
RecommendationRequire explicit user confirmation before any POST or account-mutating call, default to test keys where possible, and set clear limits for campaign, amount, currency, and recurring-plan creation.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown
Homepage: none

The skill has limited provenance information, which matters more because it is asking users to connect a financial fundraising API.

User impactUsers have less information to verify the maintainer or compare the instructions against an official source.
RecommendationVerify the API details against official FundraiseUp documentation and only install the skill from a trusted source.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
Required environment variables: `FUNDRAISEUP_API_KEY` ... Select permissions: Retrieve donation data; Create new donations; Generate Donor Portal access links

This shows the skill needs a bearer API key with privileges to read donor/payment-related data, create donations, and generate account access links.

User impactA broadly scoped key could expose supporter and donation records or allow account actions that affect donors and fundraising operations.
RecommendationUse a least-privileged FundraiseUp API key, prefer test mode during setup, avoid sharing admin-level keys with the agent, and ensure the registry credential requirements are declared before installation.