Skillv1.2.0

ClawScan security

Didit Email Verification · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 5:15 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, instructions, and included script are consistent with an email OTP verification integration using Didit's API; nothing requested is disproportionate to that purpose.
Guidance: This skill appears to do only what it says: call Didit's email verification endpoints. Before installing, verify you trust Didit and are comfortable sending email addresses and optional fraud signals (IP, device_id, user_agent) to their service. Note: the package includes a Python script that requires a Python runtime and the 'requests' library but the skill lists no install steps or binaries—ensure your agent environment can run it or that the agent will instead call the REST endpoints directly. Be aware the SKILL.md documents a programmatic registration flow that will send an email and password to Didit to obtain an API key; only use that if you trust the endpoint. Finally, check billing/credit implications in Didit's docs (the skill references account/credits endpoints).

Purpose & Capability: okName/description match the behavior: the SKILL.md and the included Python script call Didit endpoints to send and check OTPs and optionally supply fraud signals. The single required env var (DIDIT_API_KEY) is appropriate for this purpose.
Instruction Scope: okRuntime instructions focus on sending/checking email OTPs and optional fraud signals (ip, device_id, user_agent). They do not instruct the agent to read unrelated system files or other credentials. The SKILL.md does include a programmatic registration flow (to obtain an API key) which will send an email/password to Didit—this is consistent with onboarding but worth noting.
Install Mechanism: noteThere is no install spec (instruction-only), but a runnable Python script is included that uses the 'requests' library. The skill does not declare Python or the 'requests' dependency or required binaries; deploying or running the script will require a Python runtime and the requests package present in the environment.
Credentials: okOnly DIDIT_API_KEY is required and it is the primary credential for the Didit API. No additional unrelated secrets or config paths are requested.
Persistence & Privilege: okalways is false, the skill does not request permanent/global agent presence, and it does not modify other skills or system-wide settings.