ClawHub
Back to skill
v1.0.0

Didit Kyc Onboarding

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:20 AM.

Analysis

The skill matches its KYC purpose, but it can use a Didit API key to create real verification sessions and print sensitive identity-verification results, so it should be reviewed carefully before use.

GuidanceInstall only if you are comfortable letting the agent use a Didit API key for real KYC operations. Confirm each workflow/session creation, use scoped or test credentials where possible, and avoid printing or storing full KYC decision data unless it is necessary and authorized.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
scripts/run_kyc.py
full      Full flow: create workflow + session in one command ... requests.post(f"{BASE_URL}/workflows/" ... requests.post(f"{BASE_URL}/session/"

The helper can mutate the Didit account by creating KYC workflows and verification sessions, including via a combined full-flow command.

User impactIf invoked without deliberate review, the agent could create real KYC sessions, generate verification links for users, and potentially consume account credits.
RecommendationRequire explicit user approval before creating workflows or sessions, verify the workflow ID, vendor data, callback URL, and costs, and prefer a scoped or test API key.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
scripts/run_kyc.py
h = {"x-api-key": api_key} ... requests.get(f"{BASE_URL}/session/{session_id}/decision/" ... print(json.dumps(result, indent=2)) ... print(f"DOB: {id_data.get('date_of_birth', '')}")

The Didit API key is used to retrieve full KYC decision data, and the script prints the full response plus identity attributes such as name, date of birth, and document information.

User impactSensitive identity-verification results may be brought into the agent conversation, logs, or other outputs in unredacted form.
RecommendationUse least-privileged credentials, retrieve only the fields needed, redact identity details by default, and get clear authorization before viewing or sharing KYC results.