Didit Email Verification

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Didit email OTP integration that discloses its API key use and external email-verification requests.

Install this only if you intend to use Didit for email verification. Protect DIDIT_API_KEY in an environment variable or secret manager, avoid logging it, confirm before sending OTP emails, monitor Didit credits or usage, and only send optional IP/device/user-agent fraud signals when you have an appropriate privacy basis and user notice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation encourages sending personal data and fraud signals such as email address, IP address, device ID, and user agent to a third-party API, but it does not include an explicit privacy notice, consent guidance, or data-minimization warning. This can lead to unintentional privacy violations, especially in regulated environments or when end users are unaware that their telemetry is being shared externally.

Missing User Warnings

Low

Confidence: 83% confidence
Finding: The manifest exposes that a sensitive API credential is required, but it does not warn against hardcoding, logging, or otherwise mishandling that secret. In practice, this increases the risk of credential leakage through source control, examples, debug output, or shared transcripts.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal