Back to skill
Skillv1.2.0
ClawScan security
Didit Id Document Verification · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 5:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required credential (DIDIT_API_KEY) are consistent with its stated purpose of calling Didit's ID verification API; nothing in the package requests unrelated credentials, installs, or hidden endpoints.
- Guidance
- This skill will upload sensitive personal ID images and extracted PII to Didit's servers using the DIDIT_API_KEY you supply. Before installing: (1) confirm you trust Didit and review their privacy, retention, and billing policies; (2) store the DIDIT_API_KEY securely (don’t paste a production key into an untrusted agent UI); (3) be aware that by default requests are saved in the Business Console (save_api_request defaults to true; the script has a --no-save flag); (4) ensure sending ID images to an external vendor complies with your legal/regulatory and privacy requirements (GDPR, etc.); and (5) consider using a scoped/test API key for experimentation. The package itself is coherent with its claimed purpose.
Review Dimensions
- Purpose & Capability
- okName/description match the actual behavior: the SKILL.md and included script submit ID images to Didit's verification endpoints and use a single API key (DIDIT_API_KEY). No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okRuntime instructions and the Python script only read the DIDIT_API_KEY env var and user-specified image files, then POST multipart/form-data to Didit endpoints (verification.didit.me, apx.didit.me, business.didit.me). There are no directives to read other system files, harvest environment variables, or send data to unexpected hosts.
- Install Mechanism
- okNo install step or third-party download is specified; the skill is instruction-only with a small included script, so nothing is written to disk beyond the provided files. Low installation risk.
- Credentials
- okOnly a single credential (DIDIT_API_KEY) is required and is used directly by the script to authenticate requests. The number and type of environment variables are proportional to the skill's function.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modify other skill configs. It does not attempt to enable itself or store credentials beyond using the environment variable at runtime.