Self zkID verification
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent, instruction-only Self identity verification guide, but users should carefully configure dependencies, mock/test settings, and any identity data disclosures.
This skill appears safe as documentation for integrating Self. Before using it in production, pin and verify the Self packages, turn off mock passport/staging acceptance, secure the public verification endpoint, and request only the identity disclosures your app truly needs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A production app could unintentionally accept test/mock identities if the setting is not changed.
The backend quick-start shows a verifier setting that accepts mock passports; it is labeled development-only, but identity verification would be weakened if copied into production.
true, // true = accept mock passports (dev only)
Set mock/staging acceptance to false for production, use production endpoint types, and add tests or deployment checks that fail when mock passports are enabled.
Unexpected or compromised dependency versions could affect the user's application.
The guide directs users to install external packages; this is expected for the stated integration, but the example does not pin exact versions.
npm install @selfxyz/qrcode @selfxyz/core
Install from official Self sources, pin versions with a lockfile, and review dependency and contract package provenance before production use.
Proofs and any configured disclosures may reach the developer's backend or contract endpoint.
The intended flow sends verification proofs from the Self app to a public endpoint; this is purpose-aligned, but it is a sensitive data boundary.
Endpoint must be publicly accessible — Self app sends proof directly to your endpoint. Use ngrok for local development.
Use HTTPS, verify endpoint ownership, keep frontend/backend disclosure configs matched, minimize retained data, and be cautious when exposing local development servers with ngrok.
Users may otherwise assume that no personal identity attributes can ever be disclosed.
The documentation clearly lists optional personal-data disclosures, which users should read alongside the privacy-preserving/zero-knowledge framing.
name: true, // disclose full name
dateOfBirth: true, // disclose exact DOB
idNumber: true, // disclose passport/ID numberOnly request the minimum disclosures needed for the application and clearly explain to end users which attributes will be shared.