Loopuman
ReviewAudited by ClawScan on May 10, 2026.
Overview
Loopuman matches its stated purpose, but it can create paid human-worker tasks and share task details externally without a built-in confirmation or spending cap.
Use this skill only when you are comfortable paying external human workers and sharing the task details with Loopuman. Before any create action, confirm the description, budget, worker count, and webhook URL, and do not include secrets or sensitive personal data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked unintentionally or with mistaken parameters, the agent could spend Loopuman account credits and dispatch work to external humans.
The create command immediately posts a paid task with caller-supplied budget and worker-count fields, with no local confirmation prompt or spending cap in the script.
payload=$(jq -n ... budget_vae: $budget_vae ... max_workers: $max_workers ...); response=$(api POST "/api/v1/tasks" -d "$payload")
Require explicit user confirmation before task creation, show the exact cost, worker count, description, and webhook destination, and add local maximum budget and worker limits.
Anyone who can read or modify the config file may be able to use the Loopuman account or redirect where the key is sent.
The script reads a local API key and uses it for Loopuman account operations. This is expected for the service, but the key can authorize paid task creation and task access.
API_KEY=$(jq -r '.apiKey' "$CONFIG_FILE") ... -H "x-api-key: $API_KEY"
Store the config with restrictive file permissions, rotate the key if exposed, and declare the API key requirement clearly in skill metadata.
Private, confidential, or regulated information placed in task descriptions or results may be seen by external workers or sent to a webhook.
The skill is designed to send task descriptions to a third-party service and human workers, with optional webhook notifications. This is disclosed and purpose-aligned, but it is an external data boundary.
Route tasks to verified human workers ... workers operate via Telegram and WhatsApp ... --webhook — URL for push notifications on completion
Review and redact task content before submission, avoid secrets or sensitive personal data, and only use trusted webhook URLs.