Security Risks of AI Agents Hiring Humans: An Empirical Marketplace Study

TL;DR

This paper investigates the security risks of AI agents hiring humans via a REST/MCP-enabled marketplace, presenting the first empirical measurement of RentAHuman.ai. It analyzes 303 publicly visible bounties over 14 days, finds that 32.7% originate from programmatic channels, and identifies six abuse classes (credential fraud, identity proxy, reconnaissance, social manipulation, OTP misuse, and referral fraud) with a robust dual-coder validation. The study demonstrates automation signatures (burst posting, template reuse, callback pipelines) and shows that minimal content screening could flag many abuses, though such defenses are not yet implemented. It introduces an offensive primitive concept—AI agents paying for physical-world actions—emphasizing the need for API-layer safeguards, content moderation, worker transparency, and upstream MCP governance to mitigate real-world harm and labor-rights concerns. The findings have practical implications for security governance of AI-enabled marketplaces and suggest concrete pathways to reduce risk while preserving legitimate automation capabilities.

Abstract

Autonomous AI agents can now programmatically hire human workers through marketplaces using REST APIs and Model Context Protocol (MCP) integrations. This creates an attack surface analogous to CAPTCHA-solving services but with physical-world reach. We present an empirical measurement study of this threat, analyzing 303 bounties from RENTAHUMAN.AI, a marketplace where agents post tasks and manage escrow payments. We find that 99 bounties (32.7%), originate from programmatic channels (API keys or MCP). Using a dual-coder methodology (\k{appa} = 0.86 ), we identify six active abuse classes: credential fraud, identity impersonation, automated reconnaissance, social media manipulation, authentication circumvention, and referral fraud, all purchasable for a median of $25 per worker. A retrospective evaluation of seven content-screening rules flags 52 bounties (17.2%) with a single false positive, demonstrating that while basic defenses are feasible, they are currently absent.

Figures (4)

• Figure 1: End-to-end lifecycle of an automated attack through the marketplace. The adversary posts a bounty via API or MCP; workers apply and perform the physical-world task; results flow back to the adversary's pipeline via callback URLs or API polling. Escrow may or may not release payment (§\ref{['sec:discussion']}).
• Figure 2: Distribution of 303 bounties by access channel. Web-interface posts account for a 67.3% majority, while programmatic channels (REST API + MCP) together contribute 32.7%, a lower bound, as automated browser sessions are undetectable via agentId prefix alone.
• Figure 3: Daily bounty posting volume by channel across the 14-day collection window (Feb 5-20, 2026; note gap: no data for Feb 18-19). Launch week (Feb 5-9) shows elevated programmatic-channel activity consistent with automated early adoption. Day labels on x-axis.
• Figure 4: Abuse class distribution by posting channel. Reconnaissance & verification and referral fraud are disproportionately programmatic-channel bounties, consistent with their role in automated verification pipelines. All counts reflect dual-coder consensus labels ($\kappa = 0.81$).