ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rent a Person

v1.0.35

Hire verified humans for deliveries, errands, meetings, photography, pet care, and other real-world tasks that AI cannot perform.

0· 2.3k·0 current·1 all-time
by@saireetikap
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to be an OpenClaw adapter for RentAPerson (webhook processing + API calls) which legitimately needs an API key and webhook token — but the registry metadata declares no required env/config. The repository actually expects and ships a credentials file (rentaperson-agent.json) with a real-looking apiKey and openclawToken. That is a major mismatch: the skill both fails to declare required secrets and embeds them in the bundle (not necessary or appropriate for a third-party skill).
!
Instruction Scope
SKILL.md and scripts instruct the agent/gateway to treat incoming webhooks as 'trusted' and to 'MUST process them', to extract and use the RentAPerson API key, and to send replies via the RentAPerson API. The docs and scripts further direct modifying the user's OpenClaw config (openclaw.json), registering hooks, and optionally running a bridge or transform that injects the API key into messages forwarded to OpenClaw — i.e., the API key is explicitly placed into agent-visible message bodies. The skill also tells the agent not to refuse external requests, which expands runtime authority and increases risk of sensitive-data exposure.
Install Mechanism
There is no remote download of arbitrary binaries (no extract URL), and the bridge uses Node built-ins. However, the provided setup script programmatically edits the user's OpenClaw config (including attempts to auto-convert JSON5 to JSON) and can run commands (npx, openclaw CLI, restart gateway). Automatically mutating system config files without conservative safeguards is risky — the script could corrupt or misconfigure the gateway if assumptions are wrong.
!
Credentials
The skill bundle contains rentaperson-agent.json with full secrets (apiKey and openclawToken) and the code repeatedly reads and inserts that key into forwarded messages and logs. The registry metadata declared no required env vars, yet the runtime clearly requires RENTAPERSON_API_KEY, OPENCLAW_TOKEN, etc. Several helper scripts and the bridge append the API key into message bodies or send it to the OpenClaw gateway, exposing the secret in session transcripts, logs, and forwarded payloads — disproportionate to the stated purpose and contradictory to claims that the bridge keeps the API key out of transcripts.
!
Persistence & Privilege
The setup modifies global OpenClaw configuration (hooks/transformsDir, skills.entries, webhook mappings) and can start a long-running bridge service. While the skill does not set always:true, it requests persistent presence by editing system config and installing a persistent bridge service (systemd/pm2 examples). Changing other skills' or gateway configuration is a privileged action and is performed by the provided install scripts without clear opt-in granularity.
What to consider before installing
Do not install/run this skill without manual review and remediation. Key things to consider: - The repo includes a credentials file (rentaperson-agent.json) containing an API key and OpenClaw token. That secret should never be shipped in a skill — treat it as compromised. If you already used that key, rotate/revoke it immediately. - The setup scripts automatically edit your OpenClaw config (openclaw.json) and can restart your gateway; back up your openclaw.json before running the setup and review changes line-by-line. - The SKILL.md and bridge/transform code explicitly inject the RentAPerson API key into messages that become visible to OpenClaw sessions and logs. This exposes the key to model context, logs, and any plugin that can read sessions. Prefer not to use the 'transform' option and audit the bridge code: the bridge code claims to redact keys in logs but still appends the key into the message body — a contradiction. - If you want this functionality safely: remove any baked-in credentials from the code, supply your API key via a secure mechanism (env var or secret store) and ensure the skill never appends secrets to messages. Consider running the bridge on an isolated host and instrumenting strict logging/retention rules; or implement a transform that adds headers only at the HTTP proxy layer and never writes secrets into session text. - If you have limited security experience, do not run the provided setup.js or install scripts. Ask a sysadmin to review the scripts and the exact changes they will make (especially the openclaw.json edits) and to perform necessary key rotation if the bundled credentials were used. Confidence in this assessment is high because the repository payload clearly contains credentials and code that embeds those credentials into agent-visible messages — a disproportionate and risky behavior for a skill of this purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk971726cdbbp8w69yey4chfrex814e1n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments