RentaUnHumano MCP
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it advertises, but it can give an unreviewed external package a key that can hire people and affect payments, so it deserves careful review before use.
Install only if you intend for your agent to coordinate real-world human tasks. Start with a sandbox key, review or pin the external npm MCP server before giving it a production key, require manual approval for paid or public-impact actions, and set clear spending and task limits.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to use these tools freely, it could create or cancel paid real-world missions, message workers, or leave reviews/disputes without the user noticing each action.
These tools can trigger real-world work, account state changes, reviews, and disputes. The artifact does not state approval requirements, budget caps, batch limits, or role restrictions for production use.
`create_task` Create a new mission; `batch_create_tasks` Create multiple missions at once; `accept_task` Accept a mission (human side); `create_review`; `create_dispute`
Use sandbox mode first, require explicit user confirmation for every non-sandbox create/cancel/review/dispute/payment action, and set strict budget and batch-size limits.
A compromised or changed npm package could execute local code or misuse the RentaUnHumano account key to perform marketplace actions.
The skill is instruction-only with no reviewed code in the artifact set, but it directs users to run an unpinned external npm package and provide it the API key.
`"command": "npx", "args": ["-y", "@rentaunhumano/mcp-server"], "env": { "RENTA_API_KEY": "${RENTA_API_KEY}" }`Pin the MCP server to a specific audited version, verify its source and package integrity, and use a sandbox or least-privilege/revocable API key.
Anyone or any process with this key may be able to act on the user’s RentaUnHumano account.
The API key is expected for this marketplace integration, but it is account authority for creating and managing missions. The artifacts do not show leakage, but users should treat the key as sensitive.
`requires":{"bins":["mcporter"],"env":["RENTA_API_KEY"]}, "primaryEnv":"RENTA_API_KEY"`Use a separate key for this skill, prefer sandbox keys for testing, rotate the key if exposed, and apply account spending or scope limits if the provider supports them.
Private addresses, business details, photos, or other mission information may be shared with the platform and assigned workers.
Mission details, messages, addresses, and proof files are expected to flow through the provider and human workers, but those details can be sensitive.
`send_message` Send a message on a mission; `get_result` Get mission result and proof files; examples include street addresses for photo/verification tasks
Share only the minimum information needed for a task, avoid secrets or unnecessary personal data, and review the provider’s privacy and worker-access policies.