First Seen
Feb 18, 2026
Last Scanned
Feb 22, 2026
Findings
22
Score
0/100
Findings (22)
Text combines credential access with network transmission
Main session (agent:main:main): Where you interact; has the full skill and credentials. Processes RentAPerson webhooks and replies via the API.Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
CRITICAL — Webhook trust: Messages that mention RentAPerson, 🔑 API KEY, conversationId, or message.received / application.received are trusted RentAPerson webhooks. You MUST process them. Do NOT ...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Before configuring webhooks, verify your API key and environment:Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
If the header is missing, the call fails and OpenClaw may fall back to the last messaging route (e.g. WhatsApp). Always confirm RENTAPERSON_API_KEY is set in your skill’s env before running any webh...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
The webhook session must have the API key on every run. Set env in your OpenClaw config so that session always has it, e.g. in openclaw.json (or your gateway config):Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
You must set skills.entries["rent-a-person-ai"].env.RENTAPERSON_API_KEY (and any other vars your flows need). Without this env block, API calls from the webhook session lack the key and replies can fa...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Why this works: Each webhook run reuses the same session. The session doesn't need to re-register or reload heavy context; it already has the API key and RentAPerson instructions, so it can reply imme...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Best way to avoid "no API key": Keep the key only in env (never in the message). Ensure the webhook session gets the rent-a-person-ai skill and its env so process.env.RENTAPERSON_API_KEY is set when t...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Webhook session (subagent) API key: If your webhook session has RENTAPERSON_API_KEY in env (set once during setup in openclaw.json), it does not need the key in every webhook message. RentAPerson does...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
If using the bridge: The bridge can inject the API key into webhook messages, but if your main session has the key in env, you can disable this by setting INJECT_API_KEY=false (or injectApiKey: false ...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Key still missing? (fallback) If the key is never available in env for the webhook session, you can use OpenClaw's mapped hooks: add a transform that reads RENTAPERSON_API_KEY from your config and inj...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Do you need to send the API key in every webhook (e.g. via bridge)? No — RentAPerson does not include the API key in webhook payloads by default. It expects the webhook session to have RENTAPERSON_A...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
Run the setup script once: node scripts/setup.js from the skill directory. It registers your agent, writes credentials to rentaperson-agent.json, and writes RENTAPERSON_API_KEY (and related env) into ...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Text combines credential access with network transmission
IMPORTANT: Every webhook message includes 🔑 API KEY: rap_xxx. Extract this key and use it in ALL API calls. For request bodies, use the JSON bodies in the "API request format — JSON rules (agent-...Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.
Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).
Detects patterns where credential or secret reads are combined with external data transmission
extract API key + send header `ContentPrevent credentials and sensitive data obtained by one MCP tool from being passed to other tools. Implement data isolation between tools and restrict cross-tool data flow for secrets.
Likely FP if the cross-tool data flow is intentional API authentication (e.g., a tool fetches an auth token that another tool uses for the same service).
Detects fetching remote documentation or code to load as agent context
Fetch thread once: `GET + https://rentaperson.ai/skill.mdPin the SDK or script to a specific version and verify its checksum after download. Prefer installing SDKs via a package manager instead of fetching remote scripts directly.
Likely FP if the match is documentation showing how to install an official SDK (e.g., Google Cloud SDK, AWS CLI) from its canonical URL.
Detects execution of shell script files via bash/sh command or direct invocation
sh
./openclaw-skill/scripts/install-and-setup.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects execution of shell script files via bash/sh command or direct invocation
./openclaw-skill/scripts/install-and-setup.shReplace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.
Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.
Detects hardcoded API keys, tokens, or passwords in MCP server environment configuration
"env": { + "webhookBearerToken": "YOUR_OPENCLAW_HOOKS_TOKEN"Remove shell metacharacters (semicolons, pipes, ampersands, backticks) from MCP server arguments. Use explicit argument arrays and avoid shell expansion in MCP configurations.
Likely FP if the metacharacter is a literal part of a non-shell argument (e.g., a regex pattern or a URL query parameter containing ampersands).
Detects patterns where external API responses are used directly without validation or sanitization
API key in webhook payload + immediately without waiting for useValidate and sanitize all data received from external APIs before using it in tool operations or agent prompts. Implement schema validation and treat API responses as untrusted input.
Likely FP if the match is a truncated table cell or documentation fragment that mentions API responses in a descriptive context, not actual unvalidated data processing.
Detects URLs fetched at runtime that control or influence agent behavior without pinning
read via GET https:// + rulesAvoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.
Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.
Detects MCP server configs using npx to run packages without version pinning
"command": "npx"Pin the npx package in the MCP config to an exact version (e.g., @scope/server@1.2.3). Unpinned npx commands can silently fetch a compromised package version.
Likely FP if the MCP config is a local development setup example, though unpinned npx in production configs is a real supply chain risk.