ClawHub
Back to skill
v1.1.0

Didit Aml Screening

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:41 AM.

Analysis

This skill appears to perform the Didit AML screening it claims, but it uses your Didit API key and may send and store sensitive identity details with Didit.

GuidanceInstall this only if you intend to send AML screening subjects to Didit. Protect the DIDIT_API_KEY, confirm consent and compliance obligations for screened individuals or companies, and review Didit's request-saving and retention settings before sending document numbers or other sensitive identifiers.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/screen_aml.py
api_key = os.environ.get("DIDIT_API_KEY") ... headers={"x-api-key": api_key, "Content-Type": "application/json"}

The helper authenticates to Didit with the user's API key. This is expected for an AML API integration, but the key may authorize account usage or billable requests.

User impactAnyone with access to the API key could potentially use the user's Didit account for screening requests.
RecommendationStore DIDIT_API_KEY securely, use the least-privileged key Didit supports, and monitor Didit account usage and billing.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
`document_number` ... ID document number ("Golden Key") ... `save_api_request` | boolean | No | `true` | Save in Business Console

The documented request can include sensitive identity data, and the provider-side API request saving is described as enabled by default.

User impactNames, dates of birth, nationalities, document numbers, and AML results may be retained in the Didit Business Console depending on API behavior and settings.
RecommendationOnly screen subjects when you have appropriate authorization, avoid sending optional identifiers unless needed, and disable request saving or adjust retention settings if Didit supports it.