Rent-A-Human-Agent + Bounty Hunter
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches a RentAHuman job-scanning/hiring purpose, but it asks for account-level credentials and includes posting, accepting, messaging, and payment-adjacent actions without clear confirmation or scope limits.
Install only if you are comfortable giving the skill RentAHuman and xAI access. Before enabling posting, hiring, messaging, or Telegram features, add explicit confirmation steps and review any external helper skills or bot code.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could create job posts, contact humans, or accept applications on a paid platform if the user gives broad hiring instructions.
The skill advertises account-changing and payment-adjacent actions, but does not state that the agent must obtain explicit confirmation of the exact bounty, price, message, acceptance, or booking before acting.
/rent post <desc> — Post a new bounty ... /rent applications <id> → /rent accept <app_id> ... Payment via Stripe Connect escrow
Require confirm-before-action for posting, messaging, accepting, booking, and any payment/escrow step; show the exact title, description, price, recipient, and consequences before submission.
Users may not realize the skill needs account credentials that can access RentAHuman functions and send data to third-party services.
The skill requires service credentials, including a RentAHuman account key, while the registry metadata declares no required environment variables and no primary credential. That under-declares the permission boundary for a skill that can manage platform activity.
Requirements - `XAI_API_KEY` — from x.ai for Grok scoring - `RENTAHUMAN_API_KEY` — from rentahuman.ai/dashboard - `TELEGRAM_BOT_TOKEN` (optional)
Declare all required and optional credentials in metadata, document the exact scopes needed, and prefer least-privilege/read-only keys for scanning when posting or hiring is not requested.
Bounty summaries, scoring context, and recommendation messages may be processed by external providers.
The skill discloses external provider flows to xAI/Grok and Telegram. These flows are purpose-aligned, but users should know bounty details and preference/location context may leave the local agent environment.
Uses Grok AI to filter spam, score opportunities by location, skills, and ease of completion, and sends top results to Telegram.
Disclose exactly what fields are sent to Grok and Telegram, allow users to disable each external flow, and avoid including unnecessary personal location or skill details.
Old or poisoned bounty text could remain in cached results and influence what the agent shows later.
The script persists scored bounty results locally for 12 hours. This is coherent with the scanner purpose, but cached AI-generated reasons can be reused in later outputs.
CACHE_DIR = PROJECT_DIR / "cache" CACHE_FILE = CACHE_DIR / "bounties_cache.json" CACHE_TTL_HOURS = 12
Keep cache contents minimal, provide a clear cache-clear command, and avoid treating cached AI reasoning as authoritative without refresh or user review.
Installing the referenced Telegram helper could add unreviewed behavior beyond this skill.
The Telegram integration points users to an external skill repository without a pinned commit or included code in the reviewed package. This is optional, but it expands the trusted code base.
Drag and drop the .claude folder contents into your OpenClaw skills folder): https://github.com/shane9coy/Telegram-Bot-Easy
Review the external repository before installing it, pin a specific commit or release, and include any required helper files in the reviewed package when possible.
Users might rely on a privacy guarantee that is not verifiable from the reviewed files alone.
The documentation makes a privacy claim, but the included artifacts do not contain the Telegram bot implementation that enforces user-ID restriction.
🔒 **Private** - Bot only responds to your user ID
Include or link pinned code showing the user-ID check, and instruct users to test the bot from an unauthorized Telegram account before relying on it.