Humanod
ReviewAudited by ClawScan on May 10, 2026.
Overview
Prompt-injection indicators were detected in the submitted artifacts (system-prompt-override); human review is required before treating this skill as clean.
Before installing, confirm that the Humanod API endpoint and account setup are legitimate, use a dedicated revocable API key, and require the agent to summarize and get your explicit approval before posting tasks, hiring workers, canceling tasks, or releasing funds. ClawScan detected prompt-injection indicators (system-prompt-override), so this skill requires review even though the model response was benign.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may prioritize Humanod hiring workflows during use of this skill.
This prompt-style file assigns the agent a role and goal. It matches the stated skill purpose, but users should be aware it can steer the agent toward Humanod task management when invoked.
You are an **Autonomous Workforce Manager** connected to the **Humanod API**. Your goal is to hire humans to perform physical tasks in the real world that you cannot do yourself.
Invoke the skill only when you intend to manage Humanod tasks, and do not let it solicit credentials or take actions outside that context.
A mistaken or over-broad instruction could spend money, dispatch a worker, or approve/reject paid work.
The tools can create real-world tasks, hire applicants, and release payment. This is central to the skill's purpose, but it is a high-impact capability.
`createTask` | Broadcast a new physical or digital task... `acceptApplication` | Assign the task... `validateSubmission` | Approve (release funds) or reject...
Review task details, price, location, selected worker, and submission proof before confirming any create, hire, cancel, or validation action.
Anyone with the API key may be able to access or act on the user's Humanod account, including paid task operations.
The skill requires an API key that likely grants account and wallet authority. Passing it as a query parameter is disclosed and purpose-aligned, but it is sensitive credential handling.
you MUST verify if you have the user's **Humanod API Key**... ALWAYS append it as a parameter `?api_key=YOUR_KEY`... for **EVERY** API call
Use a dedicated, revocable API key with the minimum permissions available, avoid pasting it into unrelated chats, and rotate it if exposed.
Users have less registry-level information to confirm who maintains the skill and whether the API endpoint is the intended service.
The registry metadata does not provide source provenance or a homepage, while the skill depends on a remote Humanod API. This is not malicious by itself, but it limits independent verification.
Source: unknown Homepage: none
Verify the Humanod service, API endpoint, and API-key instructions through official channels before funding the account or creating tasks.