Back to skill
Skillv1.2.0
ClawScan security
Didit Liveness Detection · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 5:14 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and requested credential (DIDIT_API_KEY) are consistent with a liveness-detection client that calls the Didit standalone API; no incoherent or unrelated privileges are requested.
- Guidance
- This skill is coherent with its stated purpose, but it sends raw biometric images to an external service. Before installing, confirm you trust Didit and that sending user selfies to their API meets your privacy, legal, and data-retention requirements (the docs indicate API requests may be saved by default). Ensure the runtime has Python and the 'requests' library available. Protect DIDIT_API_KEY like any secret (store it securely and limit its scope/rotation). If you need to avoid uploading images to a third party, use an on-device or self-hosted solution instead. Finally, review Didit's privacy and retention policies and confirm whether 'blocklist' or duplicate-detection features could impact user rights in your jurisdiction.
Review Dimensions
- Purpose & Capability
- okName and description match the implemented behavior: SKILL.md documents a passive-liveness API and the included Python script posts a user image to the documented Didit endpoint using x-api-key. The single required env var (DIDIT_API_KEY) is exactly what the API needs.
- Instruction Scope
- noteInstructions only describe sending one user image and optional parameters to the Didit endpoint. They do, however, advertise additional platform features (blocklist matching, duplicate detection, saving API requests) and the docs indicate that requests may be persisted by default (save_api_request default = true). This is expected for a third-party biometric API but is a privacy/retention concern (the skill will transmit raw biometric images to Didit).
- Install Mechanism
- noteThere is no install spec (instruction-only), which minimizes supply-chain risk. The included Python script uses the 'requests' package but the SKILL.md does not list dependencies or installation instructions — the runtime must provide Python and the requests library or the script will fail.
- Credentials
- okOnly one credential is required: DIDIT_API_KEY (declared as primary). That matches the documented API authentication (x-api-key). No unrelated credentials, files, or system paths are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request system or cross-skill configuration. It does not modify other skills or system settings. The primary persistence concern is external (Didit storing submitted images/requests), not local agent privileges.