ClawHub
Back to skill

Security audit

Human-Rent

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-aligned, but it can dispatch paid human workers for real-world tasks and includes an automation bypass that needs careful review.

Install only if you intend to connect an agent to ZhenRent and are comfortable sending task details, locations, budgets, and worker-selection data to an external service involving real people. Keep HUMAN_RENT_AUTO_CONFIRM disabled unless you have separate approvals, spending limits, audit logs, and task-safety controls. Do not submit sensitive personal, medical, legal, financial, credential, or unauthorized surveillance tasks, and avoid copying the unsafe cleanup, secret-printing, NODE_DEBUG, or exec-based integration examples without review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The OpenClaw integration example constructs a shell command by interpolating untrusted task input directly into a string passed to child_process.exec. An attacker controlling instruction or location values can inject shell metacharacters and execute arbitrary commands on the host running the agent, which is far more dangerous than the documented human-dispatch functionality suggests.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file includes a ready-to-run destructive `rm -f` command targeting multiple files in a live local directory, without an explicit warning that it permanently deletes data. In an agent or operator workflow, this increases the risk of accidental execution, path confusion, or unintended loss of important files if the command is copied blindly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to export API credentials and dispatch a real-world task without any safety, secrecy, or environment-isolation warning. In a skill that brokers human agents for physical-world actions, normalizing direct command execution with live secrets and operational tasks increases the chance of credential exposure, accidental use against production systems, and unsafe real-world dispatches.

Vague Triggers

Low
Confidence
94% confidence
Finding
The file uses imperative, operational language such as 'Run cleanup-for-upload.sh' and 'Upload human-rent/ folder' while also asserting '100% PASS', 'No security issues', and 'READY TO GO!'. In an agent skill context, this can nudge a human or automated assistant to execute repository actions based on a status document rather than independent verification, increasing the risk of unintended script execution or unsafe deployment.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide recommends enabling NODE_DEBUG=http,https for dispatch operations without warning that verbose transport logging may capture sensitive headers, request bodies, endpoints, and other credential-adjacent data. In a tool handling API keys and dispatch details, those logs can leak secrets or sensitive operational information into terminal history, CI logs, or shared log files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents an environment variable that disables the human-dispatch confirmation prompt, allowing unattended initiation of real-world tasks and charges. In a skill whose core function is sending humans to physical locations, removing interactive consent materially increases the risk of unauthorized spending, privacy-invasive requests, and unsafe physical-world actions by downstream agents or scripts.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The release notes explicitly state that instructions must be in Chinese or English, which is a functional language restriction affecting how users can interact with the service. In a human-task-dispatch skill, this can materially limit user autonomy and cause exclusion or unsafe misunderstanding if the user is not informed and consenting before reliance on the service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document instructs the operator to run a cleanup script that deletes files before upload, but it does not provide a prominent warning that the action is destructive or advise creating a backup first. In a packaging workflow, this can cause accidental loss of internal documentation or other local files if the script behavior is broader than expected or the user runs it in the wrong directory.

Missing User Warnings

High
Confidence
98% confidence
Finding
The manual fallback includes a direct `rm -f` command deleting multiple files without any confirmation step, backup guidance, or safety warning. This is more dangerous than the scripted path because it normalizes irreversible deletion in documentation and increases the chance of operator error, especially if copied blindly in a live shell from the wrong path.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This module retrieves worker data from an external service and prints personally identifying and profile information such as names, IDs, city, bio, certifications, rates, and task history directly to stdout without any consent notice, minimization, or access control visible in this file. In the context of a human-dispatch skill, this creates a real privacy and data-disclosure risk because users or downstream agents may access more worker information than is necessary for task selection, and the code normalizes broad disclosure of third-party human data.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
async promptForDispatch(taskDetails) {
    // If running in non-interactive mode, require explicit flag
    if (!process.stdin.isTTY) {
      if (process.env.HUMAN_RENT_AUTO_CONFIRM === 'true') {
        console.log('[Auto-confirmed via HUMAN_RENT_AUTO_CONFIRM]');
        return true;
      }
Confidence
95% confidence
Finding
AUTO_CONFIRM

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
// If running in non-interactive mode, require explicit flag
    if (!process.stdin.isTTY) {
      if (process.env.HUMAN_RENT_AUTO_CONFIRM === 'true') {
        console.log('[Auto-confirmed via HUMAN_RENT_AUTO_CONFIRM]');
        return true;
      }
      throw new Error(
Confidence
95% confidence
Finding
Auto-confirm

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
// If running in non-interactive mode, require explicit flag
    if (!process.stdin.isTTY) {
      if (process.env.HUMAN_RENT_AUTO_CONFIRM === 'true') {
        console.log('[Auto-confirmed via HUMAN_RENT_AUTO_CONFIRM]');
        return true;
      }
      throw new Error(
Confidence
95% confidence
Finding
AUTO_CONFIRM

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
}
      throw new Error(
        'Cannot prompt for confirmation in non-interactive mode.\n' +
        'Set HUMAN_RENT_AUTO_CONFIRM=true environment variable to auto-confirm, or run in interactive terminal.'
      );
    }
Confidence
92% confidence
Finding
AUTO_CONFIRM

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
}
      throw new Error(
        'Cannot prompt for confirmation in non-interactive mode.\n' +
        'Set HUMAN_RENT_AUTO_CONFIRM=true environment variable to auto-confirm, or run in interactive terminal.'
      );
    }
Confidence
92% confidence
Finding
auto-confirm

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal