ClawHub

Rent a Person

Security checks across malware telemetry and agentic risk

Overview

This is a real RentAPerson automation skill, but it weakens webhook trust boundaries and exposes API keys in agent-visible messages and bundled config.

Review carefully before installing. Do not use the bundled credential file; rotate any exposed RentAPerson API key or hook token, disable bridge/transform API-key injection, require verified webhook authentication before processing events, keep secrets out of transcripts, and add human approval for accepting applicants, completing bounties, posting reviews, or scheduling real-world work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (44)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to trust webhook-like messages based on content such as 'RentAPerson', 'API KEY', or event names, and to override normal untrusted-source safeguards. This enables prompt-injection style spoofing where any attacker who can send text into the agent can trigger automated API actions without actual verification of webhook origin or bearer-token authentication.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document tells the agent to ignore OpenClaw security notices and process webhook content automatically, directly undermining the platform's warning mechanisms. Even if a bearer-token model exists elsewhere in the document, these instructions create a bypass in practice by training the agent to disregard signals that a request may be untrusted.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation claims the bridge keeps the API key out of OpenClaw transcripts, but the sample bridge code appends the key directly into the forwarded message body. That means the credential can be stored in session history, logs, traces, or downstream tooling, creating a direct secret exposure risk and misleading operators into deploying an insecure design under a false security assumption.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The README repeats the false assurance that keys are absent from session transcripts, while the included implementation injects the API key into the message field. This inconsistency is dangerous because users may rely on the README's security claim and unknowingly expose long-lived credentials in transcripts or observability systems.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The recommendation section labels the bridge as more secure because the key supposedly never enters transcripts, but the bridge code forwards the key inside user-visible content. This is a true vulnerability because it promotes an insecure deployment pattern as the preferred option, increasing the chance of widespread credential leakage.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The transform appends the actual RENTAPERSON_API_KEY secret directly into the message payload, which can expose the credential to downstream services, logs, users, LLM prompts, and any recipient of the transformed body. In a webhook/message-transform context, secrets should remain in trusted configuration or be applied only at the HTTP transport layer, not embedded into user-visible or model-visible content.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation understates the behavior by saying the transform adds a line containing key/id/name, while the implementation injects the full API secret. This mismatch is dangerous because reviewers or operators may approve and deploy the script believing it only adds identifiers, increasing the chance of unnoticed secret disclosure.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script's stated purpose is to send a message to a session, but it silently appends a locally stored API key and explicit authentication header instructions to that message. This is credential exfiltration behavior unrelated to the apparent functionality and would disclose sensitive secrets to any recipient of the target session.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The code reads a local credential file, extracts an API key, and transmits it to a remote session as part of the message body. This is direct secret exfiltration with no legitimate need for a simple message-sending utility, and compromise of the API key could allow unauthorized access to protected systems or services.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script reads an API key from a local credential file or environment variable, then embeds that secret directly into the message body sent to another agent session. This is dangerous because it silently exfiltrates credentials beyond their intended trust boundary, allowing downstream systems, logs, or other agents to misuse the key.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file appears to be a simple CLI message sender, but it also harvests a credential from disk or environment and forwards it to an external agent session. That hidden capability is unjustified by the stated purpose and creates a covert credential-exfiltration path to a remote service.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The script claims credentials stay only in memory unless the user opts to save them, but later persists the API key into OpenClaw config and sends full credentials into OpenClaw session messages. This is dangerous because it misleads the operator about secret handling and causes credential exposure in persistent config files and likely transcript/history stores.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The brief instructs the agent to accept or reject applications and mark bounties completed based on webhook-triggered flows, but it does not require any confirmation, authorization check, validation threshold, or human review before taking irreversible state-changing actions. In an automated agent context, this creates a real risk of erroneous or manipulated webhook/input data causing unintended hiring decisions, rejection of applicants, or premature completion of work, disrupting user workflows and potentially causing business harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly promotes a 'transform' mode where the RentAPerson API key appears in session transcripts. That creates a real secret-exposure risk because transcripts are often logged, retained, shared with other tools, or visible to operators and agents beyond the intended trust boundary. The context makes this more dangerous because the guide presents this as a valid setup path rather than strongly discouraging it for production or sensitive environments.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs users to place API keys directly into exported environment variables and service configuration without any credential-handling warning. While common in setup docs, this is still risky because secrets may be captured in shell history, process listings, service definitions, backups, or shared admin environments. In this skill's context, those secrets authorize outbound API actions, so exposure could enable impersonation of the agent or unauthorized webhook/API operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The curl examples place the API key directly on the command line, which can leak through shell history, terminal recordings, audit tooling, and shared environment visibility. This is a genuine documentation security issue because users often copy-paste commands verbatim, and the guide does not warn them about the exposure risk. The surrounding webhook-registration context increases the likelihood of real-world use.

Vague Triggers

High
Confidence
97% confidence
Finding
The activation criteria are extremely broad: mere mention of certain strings is treated as proof of a trusted RentAPerson webhook. That ambiguity makes accidental or adversarial triggering easy, allowing unrelated text to invoke high-impact workflows like messaging applicants or changing bounty state.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The automatic webhook-processing section lacks strong boundaries between legitimate webhook events and similar-looking conversational content. Because the skill emphasizes immediate autonomous execution, small parsing mistakes or spoofed text could cause unintended activation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill authorizes autonomous real-world actions—accepting or rejecting applications, sending messages, and scheduling events—without meaningful user-facing consent or approval checkpoints. If triggered incorrectly or maliciously, these actions can create contractual, reputational, and operational harm in the real world.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document instructs readers to inject the API key into webhook message content without a clear warning that this exposes the credential to transcripts, logs, prompt history, and potentially the model itself. In an agent skill context, message bodies are commonly persisted and inspected, so embedding secrets there materially increases the attack surface.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to expose the bridge over ngrok, which makes a local webhook receiver reachable from the public internet. Without clear guidance on webhook authentication, IP allowlisting, TLS validation, replay protection, and limiting exposed routes, operators may deploy an internet-facing endpoint that accepts untrusted requests and forwards them internally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation promotes injecting the RentAPerson API key into every forwarded message payload, which increases the chance that credentials are exposed through logs, downstream services, error traces, prompt/session content, or message inspection. Even if the bridge claims to redact keys in its own logs, embedding secrets into normal data flows broadens exposure and violates least-privilege handling of credentials.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The bridge embeds the RentAPerson API key directly into the natural-language message sent to OpenClaw. Any downstream agent, tool, log sink, prompt transcript, or compromised session with access to that message can read and misuse the credential, turning webhook delivery into credential exfiltration and unauthorized API access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The server forwards raw webhook-derived content to OpenClaw without authentication, integrity verification, or minimization, which means any caller that can reach this endpoint can inject arbitrary data into an autonomous downstream workflow. In this skill context, the forwarded content is not merely informational: it is converted into instructions that can trigger replies, calendar actions, or application decisions, increasing the risk of prompt injection, data leakage, and unauthorized business actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script silently injects a sensitive API key into outgoing message content without any disclosure or consent mechanism, making accidental exfiltration highly likely. Because message payloads are commonly logged, inspected, stored in histories, or sent to third-party models/services, this creates a broad secret-leakage path.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal