Skillv1.1.0

ClawScan security

Humanpages · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 10, 2026, 5:18 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions are consistent with a hiring/payments platform: it reasonably requires an agent API key and npx to run the provided CLI, and its runtime instructions stay within the stated purpose.
Guidance: This skill appears coherent, but consider these practical precautions before installing: - Treat HUMANPAGES_AGENT_KEY like a secret: use a dedicated API key you can revoke and avoid exposing it elsewhere. - npx will download and execute the humanpages package at runtime; if you need stronger supply-chain guarantees, pin a specific package version or run in a sandboxed environment. - Webhook URLs and the webhook secret are sensitive — store them securely and only provide webhook URLs you control. The skill notes webhook secrets cannot be retrieved later. - Payments go to on-chain wallet addresses supplied by human profiles. Verify identity and reputation before sending USDC; do test transfers or escrow if available. - If you need more assurance about the upstream package, verify the npm package ownership and repository (humanpages) and prefer versions with reproducible releases.

Review Dimensions

Purpose & Capability: okName/description (find and hire humans) align with the declared requirements: HUMANPAGES_AGENT_KEY is the expected service credential and npx is needed to run the humanpages CLI/MCP server. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope: okSKILL.md describes API-like actions (search, register_agent, create_job_offer, payment flows, webhooks) and does not instruct the agent to read unrelated system files or secrets. It does instruct the user/agent to record webhook secrets and wallet addresses and to perform on-chain USDC transfers — these are functional for the described payment flow but require user caution.
Install Mechanism: noteThis is instruction-only with no install spec; the small start script execs `npx -y humanpages`. Using npx is a normal way to run a CLI, but note that npx will fetch and execute code from the npm registry at runtime, so you should trust the package source or pin a version if you require stricter supply-chain controls.
Credentials: okOnly a single credential (HUMANPAGES_AGENT_KEY) is required and declared as the primaryEnv. That is proportionate to an API-backed agent. No other tokens, keys, or unrelated env vars are requested.
Persistence & Privilege: okSkill is not forced-always, is user-invocable, and permits autonomous invocation (the platform default). It does not request system-wide config changes or access to other skills' credentials. No persistence beyond the usual webhook/agent key artifacts is indicated.