Humanos - Programmable Human Authorization for Agent Actions

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Humanos approval integration; its network calls, credentials, user lookup, and optional guard hook fit that purpose, though users should configure it carefully.

Install only if you intend to use Humanos/VIA as a remote approval service. Use a dedicated least-privilege API key, protect ~/.openclaw/openclaw.json with restrictive permissions, review what contacts and action metadata will be sent to the API, and configure VIA_PROTECTED_TOOLS explicitly before enabling the optional guard hook.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

High

Confidence: 91% confidence
Finding: This script retrieves a credential from a remote endpoint (`/v1/credential/${ID}`), which goes beyond a narrowly scoped human-approval mechanism and introduces direct secret-access capability into the skill. In the context of a skill whose stated purpose is to require verifiable human approval before high-risk actions, embedding credential retrieval expands the attack surface and could let the skill obtain sensitive material unrelated to approval enforcement.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: The script sources a helper and then performs a remote GET request to fetch a credential, but the skill description is about enforcing human approval, not accessing secrets. That mismatch is dangerous because it creates hidden privileged behavior inside a trust-oriented control skill; if invoked by an agent, it could retrieve sensitive credentials without the user expecting that capability.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: This script performs direct user-directory lookup by contact, DID, or internal ID, which is broader than the stated purpose of merely enforcing verifiable human approval before high-risk actions. In a human-approval skill, exposing a general identity-resolution primitive increases the chance of unnecessary collection, correlation, or misuse of user data and can enable account discovery if called with attacker-supplied identifiers.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The script supports directory-style lookup across multiple identifier types without showing a clear bound to a specific approval transaction or verified requester context. That makes the skill more dangerous in context: a human-approval component should usually validate a known approver, not provide a reusable user-enumeration endpoint that could facilitate identity mapping or discovery of internal user records.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The README encourages broad natural-language triggering of sensitive approval flows such as booking, signing, consent, and cancellation. In an agent environment, vague trigger phrases can cause unintended skill activation or overreach, especially when the skill is explicitly designed to authorize high-risk actions involving money, data, and identity. The surrounding context makes this more dangerous because accidental invocation here can initiate real approval workflows or alter authorization state.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The guidance says to use the skill whenever the agent is about to do something requiring a human to say yes first, and includes broad examples like identity verification, consent, or checking approvals. Such broad activation criteria can cause the agent to invoke the skill in situations the user did not explicitly request, leading to unnecessary transmission of personal data or disruptive approval workflows. Because this skill contacts external services and initiates approval requests, over-triggering has real privacy and operational impact.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger keyword list includes generic terms such as approval, sign, consent, compliance, permission, and delegation, which are common in ordinary conversation. Keyword-based routing on such broad terms can mistakenly activate the skill for unrelated user intents, causing unnecessary API calls or data disclosure to the external Humanos service. In a security-sensitive approval skill, false activation is especially risky because it may solicit approvals or query identity data without clear user intent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to place `VIA_API_KEY` and `VIA_SIGNATURE_SECRET` directly into a JSON config file without warning about plaintext secret storage. That increases the chance of credential exposure through local file compromise, backups, logs, screenshots, or accidental commits, and these credentials appear security-sensitive because they gate authorization checks.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The hook description states it intercepts every tool call and verifies mandates via an external API, but it does not clearly warn that tool-call metadata may be transmitted off-host to `https://api.humanos.id` or another configured endpoint. In a security-control hook, this omission is significant because intercepted tool calls can contain sensitive operational details, commands, filenames, or user data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This hook sends sensitive operational context to an external service by placing the derived scope and tool name into a remote API request, but the file provides no user-facing notice, consent flow, minimization, or clear boundary on what may leave the local environment. In a human-approval guard, tool names and approval scopes can reveal confidential business intent such as payments, signing, HR, or healthcare-related actions, which creates a real privacy and data-governance risk even if the code is not overtly malicious.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The credential retrieval occurs via a network request with no user-facing warning, prompt, or disclosure in the script, making the behavior non-transparent. In a human-approval skill, undisclosed secret-fetching is especially concerning because users and reviewers may assume the script only checks approval state, not that it reaches out to retrieve sensitive data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal