KYC & Identity
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill matches a KYC use case, but it would handle identity documents and personal data through an AIOT development API with unclear credential, consent, and data-boundary controls.
Review carefully before installing. Only use this skill if you trust the publisher and have verified the API base URL, authentication method, privacy policy, and data-retention practices. Do not let the agent upload identity documents or submit KYC automatically; require a manual review and confirmation for each account, profile, document, or KYC submission action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your passport, ID, selfie, proof of address, and profile data could be sent to a third-party development API endpoint if the skill is used as written.
The skill instructs the agent to send highly sensitive KYC documents and personal data to a default AIOT development API endpoint. KYC upload is purpose-aligned, but the data boundary, production destination, and retention/privacy handling are not clearly documented.
The default API base URL is `https://payment-api-dev.aiotnetwork.io` ... Upload a KYC document ... {document_type, file_data (base64), file_name, mime_type}Use only with a trusted, verified API base URL; confirm the destination, privacy policy, retention policy, and whether the endpoint is production before uploading identity documents.
An agent using this skill may act with your authenticated account authority to create or modify KYC-related records.
The skill expects bearer-token authenticated access to create users and modify profile/document records, but the provided registry requirement only identifies AIOT_API_BASE_URL and does not clearly define the auth token source, scope, or permission limits.
`create_masterpay_user` ... Requires auth; `update_profile` ... Requires auth; `update_document` ... Requires auth ... verify the session has a valid bearer token before calling it
Confirm which account token is used, limit its permissions where possible, and require manual approval before any profile, document, or KYC submission call.
A simple KYC-related request could lead to account creation or profile/document updates unless the user or agent adds extra confirmation steps.
The instructions encourage a sequence of high-impact actions, including account creation and later profile/document mutation, without an explicit confirmation checkpoint for the user before each irreversible or sensitive step.
Always follow the documented flow order. Do not skip steps. ... Before any KYC operation, ensure a MasterPay user exists by calling `create_masterpay_user`.
Require the agent to show the exact data and endpoint, then ask for explicit confirmation before creating a user, updating profile data, uploading documents, or submitting KYC.