Didit Face Match

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill appears to do what it says, but users should know it sends selected face images to Didit and the API may save requests by default.

This skill is appropriate if you intentionally want to compare two face images with Didit. Before using it, make sure you have permission to process the faces, confirm the exact files being uploaded, protect the DIDIT_API_KEY, and review or disable Didit's default request-saving behavior if you do not want biometric data retained in the Business Console.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI02: Tool Misuse and Exploitation

What this means

The face images chosen for comparison are transmitted to Didit for processing.

Why it was flagged

The helper reads two local file paths and uploads them to the stated Didit Face Match endpoint. This is expected for the skill, but the selected files leave the local machine.

Skill content

with open(user_image, "rb") as uf, open(ref_image, "rb") as rf: ... response = requests.post(API_URL, headers=headers, files=files, data=data, timeout=60)

Recommendation

Use only with images you intend to send to Didit, confirm consent for biometric processing, and verify the file paths before running.

Low

#ASI03: Identity and Privilege Abuse

What this means

Anyone with access to the configured API key could use the associated Didit account and potentially consume credits.

Why it was flagged

The script uses a Didit API key from the environment as the account credential for requests. This is disclosed and expected for the integration.

Skill content

api_key = os.environ.get("DIDIT_API_KEY") ... headers = {"x-api-key": api_key}

Recommendation

Store the API key securely, use the least-privileged or dedicated key available, and rotate it if it is exposed.

Medium

#ASI06: Memory and Context Poisoning

What this means

Face-match requests may be retained by Didit instead of being only transient API calls.

Why it was flagged

The documentation states that Didit's API saves requests by default. For a biometric workflow, this means images or related results may persist in the provider's console beyond the immediate comparison.

Skill content

`save_api_request` | boolean | No | `true` | — | Save in Business Console Manual Checks

Recommendation

Review Didit's retention/privacy settings and set save_api_request to false where appropriate before processing sensitive biometric images.