Back to skill
Skillv1.0.0
ClawScan security
RentaUnHumano MCP · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 12, 2026, 11:35 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested resources (mcporter binary and a single RENTA_API_KEY) and runtime instructions match its stated purpose of integrating an MCP for real-world tasks; there are no obvious requests for unrelated credentials or unexpected system access — but pay attention to runtime npm fetching and the power of the API key.
- Guidance
- This skill appears to be what it says: an MCP adapter that needs mcporter and a RENTA_API_KEY. Before installing: (1) Treat RENTA_API_KEY like a sensitive credential — use a sandbox_ key for testing and rotate keys after use. (2) Inspect the @rentaunhumano/mcp-server npm package (and prefer a pinned version) because the mcporter config runs it via npx (runtime code download). (3) Ensure mcporter is from a trusted source and that adding config/mcporter.json is acceptable in your environment. (4) If you don't want the agent to autonomously create missions or trigger payments, restrict autonomous invocation or add explicit confirmation steps. (5) Verify the service (rentaunhumano.com) and its terms, and confirm payment flow and dispute controls before providing a production API key.
Review Dimensions
- Purpose & Capability
- okName/description ask to manage missions, humans, payments and the skill requires the mcporter binary and a RENTA_API_KEY — both are coherent with an MCP integration. The SKILL.md describes configuring mcporter to run an MCP server adapter and using an API key for auth, which matches the purpose.
- Instruction Scope
- noteThe instructions are scoped to registration, setting RENTA_API_KEY, writing a mcporter config file (config/mcporter.json), and verifying available tools. These are within the skill's domain, but the SKILL.md also instructs use of npx to run @rentaunhumano/mcp-server at runtime, and includes example curl calls that create agent credentials — both actions should be considered when granting the API key or running commands.
- Install Mechanism
- noteThere is no formal install spec (instruction-only), which lowers static install risk. However the mcporter configuration uses 'npx -y @rentaunhumano/mcp-server' (no pinned version), meaning running the skill will download and execute code from the npm registry at runtime. That's expected for an MCP adapter but is a supply-chain risk you should acknowledge.
- Credentials
- okOnly one environment variable is required (RENTA_API_KEY), and it is declared as the primary credential. That aligns with the described functionality. Note: the API key appears to grant the ability to create/cancel missions, manage payments, reviews and disputes — it is powerful and should be treated as a sensitive secret (use sandbox_ keys for testing).
- Persistence & Privilege
- noteThe skill is not always-enabled and uses the platform defaults for autonomous invocation. This is normal. However, because the API key permits real-world payments and task creation, allowing the agent to call the skill autonomously increases potential impact — consider limiting autonomous use or adding guardrails.