Didit Biometric Age Estimation
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently uploads a user-chosen face image to Didit for age estimation, but it handles biometric data and a Didit API key.
This skill appears purpose-aligned and not malicious. Before installing, make sure you are comfortable sending facial images to Didit, have consent and compliance coverage for age estimation/liveness checks, understand whether requests are saved, and use a protected Didit API key.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A person's face image, and optional vendor tracking data, will be shared with Didit for processing.
The helper sends the selected local face image to Didit's external API using the user's API key. This is disclosed and central to the skill, but facial images are sensitive biometric data.
ENDPOINT = "https://verification.didit.me/v3/age-estimation/" ... requests.post(ENDPOINT, headers={"x-api-key": api_key}, files=files, data=data, timeout=60)Use only with appropriate consent and a valid privacy/legal basis; avoid unnecessary vendor_data; verify Didit's privacy, retention, and data-processing terms before using real user images.
Uploaded images or request records may be retained beyond the immediate API response depending on Didit's defaults and account settings.
The documented API default may save age-estimation requests in the Didit Business Console. That is disclosed, but it affects retention of sensitive biometric-related requests.
`save_api_request` | boolean | No | `true` | Save in Business Console Manual Checks
If retention is not desired, explicitly configure the API or workflow to avoid saving requests where supported, and confirm account retention settings before processing production data.
Anyone running the skill with this environment variable can submit age-estimation requests under the configured Didit account.
The script requires and uses a Didit API key to authenticate requests. This is expected for the service, but it grants access to the user's Didit account/API quota.
api_key = os.environ.get("DIDIT_API_KEY") ... headers={"x-api-key": api_key}Store the API key securely, use the least-privileged key available, rotate it if exposed, and avoid sharing logs or environments that may reveal the key.
Users have less assurance that the skill package is officially maintained by Didit or another trusted maintainer.
The supplied registry metadata does not identify a verified source repository or publisher. The included code is readable and purpose-aligned, but provenance matters for a skill handling biometric data and credentials.
Source: unknown; Homepage: https://docs.didit.me
Verify the endpoint, documentation, and maintainer before installing, especially before using production API keys or real user images.