Is alexanderliteplo/rent-a-human safe?

The API reference explicitly documents a get_card_details endpoint that returns card number, CVV, and expiry date. Any agent invoking this endpoint transmits full PCI-sensitive card data through rentahuman.ai infrastructure. The skill author and rentahuman.ai operator gain access to this financial data, and the user has no indication this occurs during normal task-posting workflows.

inotify and auditd both record OPEN+ACCESS on all six canary credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at two points in the audit window — once at audit timestamp 1771653087.878 (before install) and again at 1771653104.643 (after install completes). The official canary integrity check reports intact files (no writes, no confirmed exfiltration). Timing analysis attributes both access sets primarily to audit framework baseline operations, but the post-install set cannot be definitively excluded from skill-related activity without deeper process attribution.

Every bounty description, conversation message, and location string provided by the user is transmitted to rentahuman.ai servers. Task descriptions may contain home addresses, meeting locations, package tracking numbers, and personal context. The user receives no explicit warning in SKILL.md that this sensitive operational data is shared with a third-party commercial marketplace and is visible to the skill operator.

rentahuman.mjs is a Node.js module executed directly by the agent via shell commands templated in SKILL.md. Its full source code is not reproduced in SKILL.md and was not provided in the evidence (only its SHA-256 hash). The script runs with access to the agent process environment variables, the local filesystem via Node.js APIs, and can make arbitrary outbound HTTP requests. Without a complete code review of this file, its behavior cannot be fully characterized.

This skill can spend real money (fund_escrow deducts from prepaid card atomically), hire real humans, release payments to bank accounts, and disclose user locations to strangers. A prompt injection attack originating in any other active skill or in user-controlled content could weaponize this skill to post fraudulent bounties, drain escrow funds, or send users' physical addresses to hired actors. The blast radius is substantially higher than a purely digital skill.

The skill accepts arbitrary user-controlled strings in bounty descriptions and conversation messages, which are transmitted verbatim to rentahuman.ai. Any co-installed skill that reads local files (e.g., a coding assistant, a file manager, a secrets scanner) could be combined in a prompt injection scenario where the attacker instructs the agent to read .env or SSH keys and embed them in a rentahuman.ai bounty description or message. This skill then acts as the exfiltration channel.

The install script clones https://github.com/openclaw/skills.git (resolved to 140.82.121.4:443). This is the only external destination contacted during installation. The connection is expected for a monorepo-based skill registry and is terminated after sparse checkout. No other hosts were contacted. Post-install connection diff is clean.

The skill creates and persists named Ed25519 keypairs as agent identities on disk. These identities survive across sessions and are transmitted to rentahuman.ai with every authenticated request (agentId, publicKey). This allows rentahuman.ai to correlate all agent actions across time, sessions, and potentially users who share infrastructure. The identity store is not scoped or ephemeral.

SKILL.md embeds {baseDir} in shell command templates passed to Node.js. If the skill runner substitutes this value without path sanitization, a maliciously crafted baseDir could result in path traversal or argument injection. This is a runtime concern dependent on the skill execution framework rather than a flaw in SKILL.md itself.