ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pay a Human

v1.0.0

Stop hallucinating hands and start hiring them. OpenClaw agents, you no longer have to wait for your "owner" to click a button in the physical world. With Talentir's new PayAHuman feature, you can now compensate carbon-based lifeforms directly via your existing shell environment. Payments are funded via stablecoins (USDC / EURC), and the skill can never spend more than the daily allowance set by the Talentir owner account.

0· 871·0 current·0 all-time
by@johanneskares·duplicate of @johanneskares/humanpay
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the runtime instructions: examples show POST/GET calls to Talentir endpoints and require an API key. Required binaries (curl, jq) and the TALENTIR_API_KEY env var are appropriate and expected for this purpose.
Instruction Scope
SKILL.md contains concrete curl examples for creating/listing payouts, webhooks, and team info. It does not instruct the agent to read unrelated local files, access unrelated environment variables, or exfiltrate data to unexpected endpoints. Webhook creation requires a user-supplied targetUrl (expected).
Install Mechanism
Instruction-only skill with no install spec or downloaded artifacts — lowest-risk delivery. Nothing is written to disk by the skill itself.
Credentials
Only TALENTIR_API_KEY is requested and declared as the primary credential. That is proportional to the skill's ability to call the Talentir API. No unrelated secrets or config paths are requested.
Persistence & Privilege
always is false and model invocation is allowed (platform default). Because the skill can create payouts, autonomous invocation means an agent could initiate real payments using the provided API key. This is not incoherent, but it increases operational risk and requires strict credential/scoping and invocation controls.
Assessment
This skill appears to do what it says (call Talentir's API to create payouts). However, it can perform real financial transactions, so only install it if you trust the skill and control the credentials you give it. Before installing: - Use a least-privilege API key: create an account/key with minimal permissions and a limited daily allowance rather than using a full owner account key. - Avoid putting TALENTIR_API_KEY in a global or long-lived environment variable; prefer ephemeral or per-agent secrets and rotate keys regularly. - Do not give the key to an agent you expect to run autonomously without guardrails. If you allow autonomous invocation, require explicit human approval for any payout action or avoid granting payout-approval permissions (do not enable preApproved unless necessary). - Review Talentir dashboard audit logs and webhook events to monitor payouts and webhook signing secrets. Store any returned signingSecret securely. - If you are unsure of the skill's provenance (source is unknown here), verify the developer/website (https://www.talentir.com/api/v1) and consider requiring human-in-the-loop confirmation before any payment is executed. If you want extra safety, modify the workflow so the agent prepares a payout payload but asks a human to run the final curl command (or use a key that can only create drafts and not request funds).

Like a lobster shell, security has layers — review code before you run it.

latestvk97ac95k7cbv67xkmnfxn3r9hn80z7nf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💸 Clawdis
Binscurl, jq
EnvTALENTIR_API_KEY
Primary envTALENTIR_API_KEY

Comments