ClawHub

Didit Aml Screening

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it sends user-provided AML screening details to Didit using a Didit API key.

Install only if you intend to send AML screening subjects to Didit. Protect the DIDIT_API_KEY, use environment variables or a secrets manager, confirm you have a valid legal basis or consent for screening, minimize optional identifiers such as document numbers, and review Didit's request-saving, retention, billing, and continuous-monitoring settings before using it with real people or companies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This skill is specifically designed to send highly sensitive personal identity data such as names, dates of birth, nationality, and document numbers to an external AML provider, yet the documentation does not present a clear privacy warning before those data flows are described. In a compliance/KYC context, omission of notice and consent guidance can lead to unauthorized disclosure of PII and regulatory noncompliance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The programmatic registration flow shows handling of email, password, OTP, and returned API key without any warning about secure storage, secret redaction, or avoiding hardcoded credentials. That omission increases the risk of credential leakage in logs, transcripts, shell history, or source control, which could allow unauthorized account access and API abuse.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation states that API requests may be saved and that continuous monitoring is automatically included, but it does not clearly warn that user identity data may be retained and reprocessed over time. For AML/KYC workflows, that materially affects privacy expectations, lawful basis, retention obligations, and cross-border processor risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits highly sensitive personal data such as full name, date of birth, nationality, and document number to a third-party AML screening provider without any explicit runtime warning, consent check, or data-handling notice. In a compliance/KYC context this transmission may be intended, but failing to clearly disclose external sharing increases privacy, legal, and policy risk, especially if an operator uses the tool on data subjects without proper authorization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal