Humanpages
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s marketplace purpose is clear, but it gives the agent real-world hiring, payment, and review powers without documented confirmation or amount limits.
Before installing, decide whether you are comfortable giving an agent access to a human-hiring marketplace. Require manual approval for every offer, payment-related step, payment stream change, and review, and verify the npm package and API key handling.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-eager agent action could create a job offer, record or manage payment activity, or leave a review that affects money and reputations.
These enabled action groups can create real-world obligations, affect payment state, and alter reputation, but the artifacts do not require explicit user approval, amount limits, or reversible controls before those actions.
jobs | Y | Create job offers and manage job lifecycle; payments | Y | Record payments and manage streams; reviews | Y | Leave reviews for completed jobs
Only use this skill with a clear rule that every offer, payment-related action, stream change, and review must be confirmed by the user, including recipient, amount, network, and final text.
Anyone or any agent workflow using the key may be able to view sensitive profile/payment-contact details and act as the agent on the service.
The provider credential enables access to detailed contact and payment profile information. This is purpose-aligned for hiring, but it is sensitive account-authorized access.
`get_human_profile` to see contact info, wallet addresses, fiat payment methods, and social links. Pass the `agent_key`.
Protect the Humanpages agent key, avoid sharing it in prompts or logs, and use the narrowest account/key permissions available.
A future package update or package-source compromise could change what tools run locally, including tools tied to hiring and payment workflows.
The skill starts its MCP server by resolving and running an npm package without a pinned version; the actual server code is not included in the reviewed files.
exec npx -y humanpages
Prefer a pinned package version, verify the npm package provenance, and run the MCP server in a restricted environment.
If the wrong callback URL is used or the webhook secret is mishandled, job or platform event information could be delivered to an unintended party.
The skill can send marketplace events to user-provided callback endpoints. This is a normal integration feature, but webhook destinations and secrets need careful handling.
Optionally provide a `webhook_url` to receive platform events ... Optional: set `callback_url` for webhook notifications
Use only trusted HTTPS webhook endpoints, verify webhook signatures/secrets, and do not route callbacks to shared or untrusted services.