Back to skill
Skillv0.1.1
ClawScan security
Human-Rent · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 2, 2026, 7:21 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The package mostly matches its claimed purpose (dispatching paid human workers) but contains inconsistencies (version/packaging metadata vs. included files) and operational risks (ability to dispatch/charge real humans, deletion helper script, optional auto-confirm) that warrant manual review before trusting credentials or installing widely.
- Guidance
- This package appears to implement a legitimate Human-as-a-Service CLI, but there are red flags you should address before installing or supplying credentials: 1) Metadata mismatch: files claim v0.2.1 while registry lists v0.1.1 — ask the publisher which is authoritative and why versions differ. 2) Verify provenance: get the upstream repository or signed release (GitHub release, official vendor page) and confirm checksums against that source. 3) Inspect code (lib/api-client.js, lib/dispatch.js): confirm SSRF whitelist, HMAC signing, and that ZHENRENT_BASE_URL validation blocks private IPs as claimed. 4) Do NOT run cleanup-for-upload.sh or any provided removal script until you review what it will delete and you have a safe working copy. 5) Treat ZHENRENT_API_SECRET as highly sensitive: test the CLI in an isolated account with a least-privilege, low‑budget API key to avoid unexpected charges. 6) Avoid setting HUMAN_RENT_AUTO_CONFIRM=true in production or on agents that can act autonomously; require interactive confirmation or instrument explicit operator approval. 7) If you cannot verify the publisher or the code, run the package in an isolated sandbox/container and monitor network calls (to ensure endpoints are legitimate) before supplying production credentials.
Review Dimensions
- Purpose & Capability
- noteThe skill's name, description, required binaries (node/npm), and required environment variables (ZHENRENT_API_KEY, ZHENRENT_API_SECRET, ZHENRENT_BASE_URL) are coherent with a Node.js CLI that calls a third‑party 'ZhenRent' human‑dispatch API. However, registry metadata claims 'instruction-only / no install spec' while the package clearly contains a full CLI implementation (bin/ and lib/ JS files). Also the SKILL.md and many documentation files claim version v0.2.1 while the registry metadata lists v0.1.1 — this metadata mismatch is unexplained and suspicious.
- Instruction Scope
- okSKILL.md and the other docs describe normal actions for a human‑dispatch service: prompting user confirmation before dispatch, sample dispatch/status/humans commands, HMAC signing, SSRF protection, and a clear do-not-use-for-illegal warning. The runtime instructions do not appear to request unrelated env vars or to exfiltrate unrelated files. That said, the skill enables real monetary charges and physical actions; the docs also expose an AUTO_CONFIRM flag that will bypass interactive consent if set — a potentially dangerous operational configuration if enabled unintentionally.
- Install Mechanism
- noteNo external install spec (no downloads) is provided — the package is self-contained, which is lower risk. But the registry claims 'instruction-only' while code is included; the presence of many internal docs and a cleanup script that deletes files (including itself) is unusual packaging behavior. The cleanup script will remove files from the repository when run; this is not inherently malicious but is a destructive operation that should not be run without inspection.
- Credentials
- okThe required env vars are limited and appropriate for the claimed API integration (API key, secret, base URL). That level of access is proportionate to dispatching real-world workers. However, these credentials grant the ability to create paid tasks and/or access results; the user must treat them as sensitive (rotate keys, use least-privilege keys, do not enable auto-confirm in shared/automated agents).
- Persistence & Privilege
- noteThe skill does not request always:true and does not declare unusual system privileges. Autonomous invocation is allowed (platform default). Because the skill can dispatch real humans and charge money, combining autonomous invocation with HUMAN_RENT_AUTO_CONFIRM or a compromised API secret could cause real monetary or physical-world consequences — the user should ensure confirmation behavior is enforced in their environment and avoid auto-confirm in untrusted agents.