Talentir HumanPay
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about its purpose, but it gives an agent direct authority to create real payouts and manage payment webhooks without clear human-confirmation safeguards.
Review this skill carefully before installing. It is not just informational: it can guide an agent to send real payments and manage production webhooks through a Talentir API key. Use minimal permissions, low daily limits, and require explicit human confirmation for every payment and webhook change.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could initiate real payments from the connected Talentir account if it has the API key and sufficient permissions.
The skill documents direct API calls that create real payouts. The artifact does not add an instruction to obtain explicit user approval for the recipient, amount, currency, or final submission.
curl -s -X POST "https://www.talentir.com/api/v1/payout" ... "payoutAmount": "100.00", "currency": "EUR"
Only install with strict spending limits and require a separate explicit confirmation step for every payout, including recipient, amount, currency, and purpose.
A broadly privileged Talentir API key could let the agent spend funds or approve payouts within the account’s limits.
The required API key can authorize payment operations, and the documented preApproved field indicates some keys may also approve payouts automatically. The skill does not specify least-privilege scopes or guardrails.
Authorization: Bearer $TALENTIR_API_KEY ... `preApproved` ... `true` to auto-approve (requires `payout.api_approve` permission)
Use a least-privilege API key if available, avoid granting payout auto-approval unless absolutely required, and keep the daily allowance very low.
Users may underestimate the need for human review before an agent sends money.
The description explicitly frames the feature as letting agents bypass waiting for a human owner to take action, which is risky wording for a financial-payment capability.
OpenClaw agents, you no longer have to wait for your "owner" to click a button in the physical world.
Treat this as a payment-authorization tool, not a convenience helper; require human approval before any payout or webhook change.
Payment event information could be sent to the configured webhook endpoint, and the signing secret could be misused if exposed.
Webhook creation is disclosed and purpose-aligned, but it can forward payout event data to a configured URL and produces a signing secret that must be protected.
Create a webhook ... "targetUrl": "https://your-server.com/webhook", "eventType": "payout", "environment": "production" ... Save the returned `signingSecret` securely
Create webhooks only for trusted HTTPS endpoints, store the signing secret securely, and confirm the destination before enabling production events.