Verfi
ReviewAudited by ClawScan on May 10, 2026.
Overview
Verfi is a coherent consent-verification guide, but it uses third-party code and API keys to collect form-interaction data and manage retained consent records.
This skill appears purpose-aligned for Verfi consent verification. Before using it, verify the remote SDK and MCP package, keep secret keys server-side and narrowly scoped, deploy the tracking script only on intended forms, and require review before an agent performs bulk claim, unclaim, or retention changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Website visitor behavior, device details, and hashed identifiers may be transmitted to Verfi for consent proof.
The SDK sends behavioral form-session telemetry and hashed PII/device data to Verfi, which is central to the product but sensitive.
Begins recording a session: mouse movements, clicks, scrolls, keystrokes, form interactions ... Session data is encrypted and sent to Verfi's API
Use the SDK only on intended consent forms, update privacy notices as needed, avoid collecting unnecessary sensitive fields, and confirm retention and data-processing terms.
A leaked or over-scoped key could let someone view or manage consent sessions in the Verfi tenant.
The integration uses secret API keys with scopes that can read proof data and mutate consent-session state.
Secret | `sk_...` | API calls (server-side, Bearer token) ... scopes: `sessions:claim`, `sessions:unclaim`, `sessions:search`, `sessions:proof`, `sessions:expiration`
Keep secret keys server-side, grant only required scopes, rotate keys regularly, and avoid placing `sk_` keys in client code, logs, or shared prompts.
An agent using the API without clear confirmation could claim, unclaim, or alter expiration for lead-consent records.
The documented workflows include API actions that change retention or release claimed sessions; these are expected but can affect compliance records.
Call `POST /sessions/{verfiID}/claim` to start retention ... Unclaim any sessions that don't meet compliance requirementsRequire confirmation for claim, unclaim, expiration, and bulk workflows; prefer dry runs and audit logs for batch operations.
Remote code would run on the website or MCP host and may receive Verfi API access if configured.
The skill relies on remote JavaScript and an optional npm-delivered MCP server that are not included in the reviewed artifacts.
<script src="https://sdk.verfi.io/v1/verfi.js" ...> ... "command": "npx", "args": ["-y", "@verfi/mcp-server"]
Verify the Verfi domains and npm package publisher, pin versions where possible, review the MCP server before giving it a secret key, and restrict API scopes.