Hire humans for physical-world tasks via RentAHuman.ai. Search available humans by skill, post bounties, start conversations, and coordinate real-world work....
Security Analysis
medium confidenceThe skill's requirements, instructions, and included code are coherent with a RentAHuman API client: it needs node and an API key, uses a local identity for signing, and only talks to rentahuman.ai — but it persists a private identity file and a scanner flagged unusual unicode control characters in the SKILL.md, so review before use.
Name/description, declared primary credential (RENTAHUMAN_API_KEY), required binary (node), SKILL.md examples, and the included CLI (scripts/rentahuman.mjs) all align with a client for the rentahuman.ai service. The CLI implements search (public) and write operations (requires API key) as described.
Runtime instructions confine network activity to the rentahuman.ai API and use curl for read-only operations or the bundled Node script for authenticated writes. The SKILL.md and script do instruct creating and using a local identity file (~/.rentahuman-identities) for signing — this is within scope but is persistent and worth noting. The SKILL.md does not request unrelated system files or other credentials.
No install spec; the skill is instruction-only with a single Node script provided. No remote downloads or package installs are performed by the skill bundle itself. Requiring node is proportionate.
Only RENTAHUMAN_API_KEY is declared as the primary credential and is required only for write operations (posting bounties, messaging, payments). That matches the documented API behavior. Note: the API reference describes endpoints that return sensitive financial data (prepaid card details, escrow) when the API key has those privileges — protect the key accordingly.
The CLI persistently stores an Ed25519 keypair and agent metadata under ~/.rentahuman-identities (directory created with mode 0700, files written with mode 0600). This is a legitimate design for agent verification, but it means a local private key is persisted and could be used to sign agent actions if the file is accessed by another process or user. The skill does not modify other skills or system-wide configs and is not always-enabled.
Guidance
This skill appears to be a coherent client for rentahuman.ai, but take these precautions before installing or using it: 1) Verify the source/owner if possible — the registry owner is unknown. 2) Treat RENTAHUMAN_API_KEY like a secret: use a dedicated API key with the minimum necessary privileges and rotate/revoke it if compromised. 3) Be aware the skill creates ~/.rentahuman-identities and stores a private key there (0600). If you do not want persistent local credentials, avoid running authenticated commands. 4) Inspect SKILL.md for hidden/zero-width/unicode control characters (scanner flagged them) and review the included script; run it in a sandbox or isolated environment first if you have doubts. 5) If you will use payment/escrow endpoints, ensure the account and API key policies are appropriate, and monitor for unexpected transactions. If anything looks unfamiliar or you cannot verify the publisher, prefer read-only usage via curl and avoid providing the API key.
Latest Release
v1.0.0
Initial release of rentahuman skill — hire real humans for physical-world tasks via RentAHuman.ai. - Search and browse human profiles for free (no authentication required) - Post task bounties and message humans directly (requires API key) - Coordinate real-world work such as package pickup, event attendance, photography, errands, and more - Command-line usage examples provided for all major features - Supports workflows for direct hiring and multi-person task postings
More by @AlexanderLiteplo
Published by @AlexanderLiteplo on ClawHub
