ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AskHuman

v1.0.0

Human Judgment as a Service for AI agents. Preference, tone, and trust validated by real people.

0· 688·0 current·0 all-time
by@hagiss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior in SKILL.md and README: the skill creates tasks, uploads attachments, polls SSE/polls task status, and returns worker results. Required permissions (network/curl) are appropriate for a remote human-judgment API.
Instruction Scope
Instructions are explicit about network calls to askhuman-api.onrender.com and askhuman.guru for registration, task creation, uploads, SSE, and approvals. This necessarily transmits prompts, attachments, and any context you send to the AskHuman service (including base64 data URLs). There are no instructions to read arbitrary local files or environment variables beyond an optional ASKHUMAN_API_KEY, but uploading files or attaching data will send that content off-host—so avoid sending sensitive/PHI/private-key material in prompts or attachments.
Install Mechanism
Instruction-only skill with no install spec or code to download and execute. All operations are performed via curl/node commands documented in SKILL.md. There is no archive download or unusual install behavior.
Credentials
The skill optionally uses a single API key (ASKHUMAN_API_KEY) and otherwise performs unauthenticated reads where permitted. It documents a paid flow requiring EIP-2612 permits (signing with your Base-chain wallet) — that implies the user/agent must sign transactions off-chain, but the skill does not request private keys or unrelated credentials. No excessive or unrelated env vars or config paths are requested.
Persistence & Privilege
The skill is not forced-always (always: false) and does not request persistent system privileges. The manifest declares network permission and allowed-tools (bash/node for curl usage), which is consistent with its API-driven behavior. There is no indication it modifies other skills or system-wide settings.
Assessment
This skill will send any prompt text and any attachments you provide to https://askhuman-api.onrender.com and related AskHuman endpoints. Before installing, decide whether you are comfortable sending the data you’ll query about to an external human crowd. For paid tasks you must sign EIP-2612 USDC permits from your wallet — never paste or expose your private key; perform signing with a secure wallet. If you plan to let the skill auto-register, be aware it will receive an API key (shown once) you should store securely. Avoid sending sensitive personal data, secrets, or private files in tasks; review AskHuman's privacy/terms and verify the project homepage/repository if you need stronger assurance.

Like a lobster shell, security has layers — review code before you run it.

latestvk978jkbq785prxydvhnj7wxp4n817hf4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments