Is aamish99/fundraiseup safe?

https://github.com/openclaw/skills/tree/main/skills/aamish99/fundraiseup

95
SAFE

The aamish99/fundraiseup skill is a clean, well-structured API documentation skill for the FundraiseUp nonprofit donation platform. No prompt injection, executable code, malicious instructions, hidden exfiltration channels, or unexpected installation behavior was detected. The primary risk is operational rather than adversarial: the skill provides broad access to donor PII, live payment processing, and authentication bypass token generation — all legitimate capabilities for its stated purpose but requiring careful API key scoping and user intent verification before deployment in production nonprofit environments.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 94/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (7)

LOW Donor Portal Authentication Bypass Link Generation -10

The skill documents and enables POST /donor_portal/access_links/supporters/{id} which generates time-limited (1-minute) authentication bypass tokens granting full access to a donor's portal including payment methods, donation history, and receipts. While the skill's own security notes warn against sharing these links, an agent could be prompted to generate and expose such links without explicit user awareness of the security implications.

LOW Live Financial Transaction Creation -10

The skill enables creation of real monetary donations via POST /donations against a connected Stripe account. With 'create new donations' API key permission, an agent could be manipulated into creating fraudulent transactions against real payment methods. The skill requires a Stripe payment_method_id, adding one barrier, but the endpoint is fully documented and accessible.

LOW Full Donor PII Enumeration via Paginated List Endpoints -6

The skill enables bulk enumeration of all supporter records via GET /supporters with cursor-based pagination (up to 100 records per page). A complete nonprofit donor database including names, emails, phone numbers, mailing addresses, and employer information could be extracted through a sequence of legitimate API calls. This is the API's intended function but represents significant privacy risk if the skill is deployed carelessly.

INFO Sample API Key Value in Configuration Documentation -4

The Configuration section presents a formatted example API key (ABEDDDD_XSSSHwzZc98KR53CWQeWeclA) as a documentation convention showing expected key format. This is not a real credential and does not appear designed to confuse agents into using it, but it slightly narrows the distance between documentation and instruction.

INFO Documentation Code Examples Not Auto-Executed -2

SKILL.md contains Python, Node.js, and bash/curl code examples under the Code Examples section. These are reference implementations for developers and are not scripts that execute during installation or agent loading. No interpreter or runtime is invoked by the skill's installation process.

INFO Clean Sparse Clone from GitHub — No Unexpected Behavior 0

The skill was installed via a git sparse-checkout from the public openclaw/skills monorepo. Network activity was limited to a single HTTPS connection to GitHub. No additional outbound connections, no unexpected processes, and no filesystem modifications outside the target directory were observed.

INFO Canary File Accesses Attributable to Monitoring Framework 0

Read-only accesses to honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were observed at two points in the audit log. Timing and process context (sudo/auditctl initialization at 1771650808 and final canary check at 1771650825) confirm these are oathe monitoring framework operations, not skill-initiated accesses. No write events on any canary file were detected.