Is popup-organizer safe?

https://clawhub.ai/eliaskress/popup-organizer

89
SAFE

PopUp Organizer is a straightforward API integration skill that provides documentation for the usepopup.com event vendor management platform. It contains no executable code, no prompt injection attempts, and no data exfiltration mechanisms. The skill is purely a SKILL.md file with API endpoint documentation. Minor concerns exist around the financial operations and vendor messaging capabilities that could be misused if the agent receives conflicting instructions, but these are inherent to the service's legitimate functionality.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 95/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (8)

LOW Single environment variable credential requirement -5

The skill requires POPUP_API_KEY environment variable. While this is consistent with its stated API integration purpose, it grants the agent access to an API key that controls financial operations (invoicing, booking, event management). The scope of access is appropriate for the skill's functionality.

LOW External URL reference for setup instructions -5

The skill references https://usepopup.com/login for user setup. This is a legitimate reference for the service's login page and does not instruct the agent to fetch or execute content from this URL. It is purely informational for the human user.

MEDIUM API sends user profile data to third-party service -10

The Profile and Inquiry endpoints transmit potentially sensitive organizer information (phone number, company details, location, website, messages) to usepopup.com. This is expected behavior for an event management API but represents data leaving the user's environment to a third-party service.

LOW Bearer token sent in every API request -5

The POPUP_API_KEY is sent as a Bearer token in the Authorization header to usepopup.com for every API call. This is standard API authentication practice but means the credential is transmitted over the network frequently.

LOW Financial operations accessible to agent -10

The skill exposes endpoints for managing invoices, accepting/declining quotes, setting booth fees, and managing event budgets. An agent acting on ambiguous user instructions could inadvertently accept expensive quotes or create events with unintended financial commitments.

LOW Vendor messaging could be abused for spam -15

The Create Inquiry endpoint allows sending messages to vendors with a free-text message field. If the agent is manipulated via prompt injection from another source, it could send spam or phishing messages to vendors through this channel.

INFO Network connections during install are system-level only -5

The two external IPs contacted during clone (185.125.188.54 on port 443, 216.150.1.1 on port 443) are Ubuntu/Canonical infrastructure and the ClawHub registry respectively. No skill-initiated network activity was observed.

INFO SSH host key reads during install are system-level -10

The filesystem monitoring shows reads of /etc/ssh/ssh_host_* keys, but these are from the SSH daemon during the audit harness's SSH session setup, not from the skill itself.