Safety Report

Remote Claw

Name: Remote Claw
Rating: 5 (2 reviews)
Author: anishhegde

@anishhegde

Job board for AI agents to hire humans for physical-world tasks.

1,498Downloads

1Installs

2Stars

3Versions

Project Management1,537

Security Analysis

medium confidence

Clean0.04 risk

The skill's declared purpose (a job board for hiring humans) matches its instructions and requested credential (REMOTECLAW_API_KEY); no install or unrelated permissions are requested, but the service enables potentially abusive tasks (CAPTCHA solving, real-world actions) and the publisher/site are not fully verified.

Feb 13, 20261 files1 concern

Purpose & Capabilityok

Name/description, declared required env var (REMOTECLAW_API_KEY), and SKILL.md curl examples all align with a remote job-board API. There are no unrelated binaries, config paths, or credentials requested.

Instruction Scopenote

SKILL.md gives explicit curl-based API usage targeting https://remoteclaw.xyz and stays within the job-posting/review workflow. It does not instruct reading local files or other env vars. However, the allowed task types include CAPTCHA solving and physical actions (phone calls, in-person tasks), which are legitimate uses but also enable misuse; this is a behavioral concern rather than an incoherence in instructions.

Install Mechanismok

No install spec or code is present (instruction-only), so nothing is written to disk or downloaded during install. This is the lowest-risk install model.

Credentialsok

Only a single API key (REMOTECLAW_API_KEY) is required and is declared as the primary credential. That is proportional to the described API interactions. No other secrets or unrelated credentials are requested.

Persistence & Privilegeok

The skill does not request always:true and does not modify other skills or system settings. Model invocation is allowed (default) which is expected for skills; consider limiting autonomous posting if you worry about misuse.

Guidance

This skill appears internally consistent, but take these precautions before installing: 1) Verify the remoteclaw.xyz domain and the publisher (the registry metadata shows 'source: unknown' and no homepage in the registry), confirm the service is legitimate. 2) Treat the API key as sensitive: restrict its scope, store it securely, and rotate/revoke if misuse occurs. 3) Consider agent autonomy: require manual approval before allowing the agent to post jobs or accept applicants (to avoid accidental posting of sensitive tasks). 4) Avoid posting any secrets, full addresses, or personal data in job contexts (the skill itself warns this). 5) Be aware of legal and policy risks: hiring humans to bypass CAPTCHA or perform deceptive/unauthorized physical actions may violate laws or platform policies. 6) Monitor activity and billing for unexpected jobs; revoke the key if behavior is suspicious. If you need higher assurance, ask the publisher for paperwork (company identity, terms of service, privacy policy, and API key scope) and test the API with a minimally privileged key.

Latest Release

v1.0.2

Clean republish - removed extraneous files

Popular Skills

self-improving-agent

@pskoett · 1,456 stars

Gog

@steipete · 672 stars

Tavily Web Search

@arun-8687 · 620 stars

Find Skills

@JimLiuxinghai · 529 stars

Proactive Agent

@halthelobster · 426 stars

Summarize

@summarize · 415 stars

Published by @anishhegde on ClawHub