ClawHub

Didit Face Match

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Didit Face Match API helper, but it should only be used with clear consent because it sends face images to Didit.

Install only if you intend to send face images to Didit for biometric comparison. Confirm you have consent from the people in the images, protect the DIDIT_API_KEY, avoid unnecessary vendor_data, review Didit's retention settings, and do not use the score alone for high-stakes identity decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented scope expands from face matching into account registration, email verification, and billing actions. Even though this is documentation, it broadens the operational intent of the skill and could encourage agents or integrators to handle credentials, OTPs, and payment-related flows that are outside the stated purpose and increase abuse potential.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill claims age estimation and gender detection in addition to face matching. These are sensitive biometric and demographic inferences that materially expand data processing beyond simple identity comparison and can trigger privacy, fairness, and compliance risks if used without explicit user consent and policy controls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to send facial images and an API key to a third-party service without a prominent privacy warning. Facial images are highly sensitive biometric data, and insufficient disclosure can lead to unauthorized sharing, regulatory violations, and unsafe handling of personal data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This script uploads highly sensitive biometric data (facial images) and optional session metadata to a third-party service without any explicit user-facing notice, confirmation, or consent mechanism in the code path. In a biometric/identity context, silent transmission increases privacy, compliance, and user-trust risk, especially if the caller uses the tool on behalf of another person.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal