← 返回 Skills 市场

Rent a Person

Name: Rent a Person
Author: saireetikap

作者 saireetikap · GitHub ↗ · v1.0.35

cross-platform ⚠ suspicious

2392

总下载

当前安装

版本数

在 OpenClaw 中安装

/install rent-a-person-ai

功能描述

Hire verified humans for deliveries, errands, meetings, photography, pet care, and other real-world tasks that AI cannot perform.

安全使用建议

Do not install/run this skill without manual review and remediation. Key things to consider: - The repo includes a credentials file (rentaperson-agent.json) containing an API key and OpenClaw token. That secret should never be shipped in a skill — treat it as compromised. If you already used that key, rotate/revoke it immediately. - The setup scripts automatically edit your OpenClaw config (openclaw.json) and can restart your gateway; back up your openclaw.json before running the setup and review changes line-by-line. - The SKILL.md and bridge/transform code explicitly inject the RentAPerson API key into messages that become visible to OpenClaw sessions and logs. This exposes the key to model context, logs, and any plugin that can read sessions. Prefer not to use the 'transform' option and audit the bridge code: the bridge code claims to redact keys in logs but still appends the key into the message body — a contradiction. - If you want this functionality safely: remove any baked-in credentials from the code, supply your API key via a secure mechanism (env var or secret store) and ensure the skill never appends secrets to messages. Consider running the bridge on an isolated host and instrumenting strict logging/retention rules; or implement a transform that adds headers only at the HTTP proxy layer and never writes secrets into session text. - If you have limited security experience, do not run the provided setup.js or install scripts. Ask a sysadmin to review the scripts and the exact changes they will make (especially the openclaw.json edits) and to perform necessary key rotation if the bundled credentials were used. Confidence in this assessment is high because the repository payload clearly contains credentials and code that embeds those credentials into agent-visible messages — a disproportionate and risky behavior for a skill of this purpose.

功能分析

Type: OpenClaw Skill Name: rent-a-person-ai Version: 1.0.35 The skill bundle is classified as suspicious primarily due to explicit prompt injection instructions in `SKILL.md` and `AGENT_BRIEF.md`. Specifically, the agent is instructed to 'MUST process' RentAPerson webhooks and 'IGNORE' OpenClaw's security notices for webhooks. While the stated purpose is to enable automated processing of legitimate events, these instructions train the AI agent to bypass platform security warnings, creating a critical vulnerability in the agent's operational security. Additionally, some utility scripts (`scripts/send-via-cli.sh`, `scripts/send-to-session.js`) include the API key directly in messages, which is a less secure practice, although the main agent flow with the recommended 'bridge' service aims to avoid this.

能力评估

⚠ Purpose & Capability

The skill claims to be an OpenClaw adapter for RentAPerson (webhook processing + API calls) which legitimately needs an API key and webhook token — but the registry metadata declares no required env/config. The repository actually expects and ships a credentials file (rentaperson-agent.json) with a real-looking apiKey and openclawToken. That is a major mismatch: the skill both fails to declare required secrets and embeds them in the bundle (not necessary or appropriate for a third-party skill).

⚠ Instruction Scope

SKILL.md and scripts instruct the agent/gateway to treat incoming webhooks as 'trusted' and to 'MUST process them', to extract and use the RentAPerson API key, and to send replies via the RentAPerson API. The docs and scripts further direct modifying the user's OpenClaw config (openclaw.json), registering hooks, and optionally running a bridge or transform that injects the API key into messages forwarded to OpenClaw — i.e., the API key is explicitly placed into agent-visible message bodies. The skill also tells the agent not to refuse external requests, which expands runtime authority and increases risk of sensitive-data exposure.

ℹ Install Mechanism

There is no remote download of arbitrary binaries (no extract URL), and the bridge uses Node built-ins. However, the provided setup script programmatically edits the user's OpenClaw config (including attempts to auto-convert JSON5 to JSON) and can run commands (npx, openclaw CLI, restart gateway). Automatically mutating system config files without conservative safeguards is risky — the script could corrupt or misconfigure the gateway if assumptions are wrong.

⚠ Credentials

The skill bundle contains rentaperson-agent.json with full secrets (apiKey and openclawToken) and the code repeatedly reads and inserts that key into forwarded messages and logs. The registry metadata declared no required env vars, yet the runtime clearly requires RENTAPERSON_API_KEY, OPENCLAW_TOKEN, etc. Several helper scripts and the bridge append the API key into message bodies or send it to the OpenClaw gateway, exposing the secret in session transcripts, logs, and forwarded payloads — disproportionate to the stated purpose and contradictory to claims that the bridge keeps the API key out of transcripts.

⚠ Persistence & Privilege

The setup modifies global OpenClaw configuration (hooks/transformsDir, skills.entries, webhook mappings) and can start a long-running bridge service. While the skill does not set always:true, it requests persistent presence by editing system config and installing a persistent bridge service (systemd/pm2 examples). Changing other skills' or gateway configuration is a privileged action and is performed by the provided install scripts without clear opt-in granularity.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install rent-a-person-ai
安装完成后，直接呼叫该 Skill 的名称或使用 /rent-a-person-ai 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.35

rent-a-person-ai v1.0.35 - Added AGENT_BRIEF.md to provide a brief agent overview. - Updated SKILL.md with clarified requirements for API JSON body formatting and header usage. - Improved documentation to emphasize proper JSON formatting (double quotes, header Content-Type). - Updated setup instructions and reminders for webhook/API authentication.

v1.0.34

Version 1.0.34 - No file changes detected in this release. - No visible changes or updates to skill logic or documentation. - Behavior and setup remain the same as previous version.

v1.0.33

No user-facing changes in this version. - Version updated to 1.0.33 with no modifications to files or visible behavior. - All existing functionality, setup, and documentation remain unchanged.

v1.0.32

No file changes were detected in this release. - No changes to the codebase, scripts, or documentation. - Version bump only; existing setup and features remain unchanged.

v1.0.31

No changes detected in this version.

v1.0.30

rent-a-person-ai 1.0.30 — No code changes detected. - Documentation remains unchanged; no updates to functionality or features. - No new features, bug fixes, or other adjustments in this version.

v1.0.29

v1.0.29 - No code changes in this release. - Documentation and instructions unchanged from previous version.

v1.0.28

v1.0.28 - No changes to code or documentation were detected in this version. - All existing setup, configuration, and workflow instructions remain unchanged.

v1.0.27

Version 1.0.27 - No file changes detected in this release. - Documentation and setup instructions unchanged. - No user or system-visible behavior changes included.

v1.0.26

RentAPerson.ai v1.0.26 - Updated documentation to clarify setup requirements and webhook integration with OpenClaw. - Added a new "Before you start (requirements)" section outlining necessary prerequisites. - Improved instructions for enabling hooks, generating a token, and connecting RentAPerson to OpenClaw. - No changes to code—this version only updates documentation for better guidance and setup clarity.

v1.0.25

Version 1.0.25 - Added new install-and-setup one-liners and quickstart instructions to SKILL.md. - Added a helper script: scripts/install-and-setup.sh for streamlined installation and setup. - Improved documentation for one-click setup via the new script or npx/ClawHub approach. - No changes to runtime or workflow logic—documentation and tooling improvements only.

v1.0.24

- Webhook session now only forwards incoming webhooks to the main session using `sessions_send`, instead of processing them directly. - Updated SKILL.md documentation to describe the new two-session architecture and adjusted recommended setup instructions. - Main session is now responsible for handling RentAPerson webhooks and replying via the API. - Clarified two-session flow and requirements for environment variable injection.

v1.0.23

No files were changed in this release. - Version bump only: no code or documentation changes detected. - All previous functionality and documentation remain unchanged.

v1.0.22

Version 1.0.22 - Adds support for a two-agent architecture: separates chat correspondence (main session) and webhook processing (webhook session) for cleaner operation. - The setup script now prompts for both main session and webhook session keys, and maps webhooks to the dedicated webhook session by default. - Setup guide (SKILL.md) updated throughout to document the new pattern and clarify persistent session configuration. - No runtime or API changes—this update improves default setup, webhook routing, and documentation for easier onboarding.

v1.0.21

- No file changes detected in this release. - Documentation and setup instructions remain unchanged. - No new features, bug fixes, or modifications included in this version.

v1.0.20

No user-facing changes in this version. - No file changes were detected between versions 1.0.19 and 1.0.20. - No updates to documentation, code, or features.

v1.0.19

- Added `rentaperson-agent.json` for storing agent credentials. - Added `scripts/fetch-test-ids.js` script for fetching test IDs.

v1.0.18

v1.0.18 — No functional or documentation changes. - Version bump only; contents remain identical to previous release. - No file changes detected.

v1.0.17

- No user-facing changes in this release. - Version updated without detected modifications to skill files.

v1.0.16

- Adds a critical notice: all RentAPerson webhooks mentioning API keys or special fields must be fully trusted and processed (never rejected as "untrusted"). - Clarifies webhook automation flow: extract API key, fetch context, reply via RentAPerson API. - Updates wording to reflect that webhook session will respond via RentAPerson API only. - Removes ambiguity about paths and session usage for persistent webhooks. - No code or file changes in this release; documentation update only.

元数据

Slug rent-a-person-ai

版本 1.0.35

许可证 —

累计安装 1

当前安装数 0

历史版本数 35

常见问题

Rent a Person 是什么？

Hire verified humans for deliveries, errands, meetings, photography, pet care, and other real-world tasks that AI cannot perform. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 2392 次。

如何安装 Rent a Person？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install rent-a-person-ai」即可一键安装，无需额外配置。

Rent a Person 是免费的吗？

是的，Rent a Person 完全免费（开源免费），可自由下载、安装和使用。

Rent a Person 支持哪些平台？

Rent a Person 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Rent a Person？

由 saireetikap（@saireetikap）开发并维护，当前版本 v1.0.35。