Didit Phone Verification

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises: it helps send and check Didit phone verification codes, with expected handling of API keys and phone data.

Install only if you intend to use Didit for phone verification. Store DIDIT_API_KEY in a secret store or environment variable, do not commit it, send verification codes only to numbers you are authorized to verify, and get appropriate user consent before sending phone numbers, OTP codes, IP addresses, device identifiers, or other fraud-signal data to Didit.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages sending fraud signals such as IP address, device ID, platform, model, OS version, app version, and user agent to a third party, but it does not provide an explicit privacy warning or consent guidance. This is dangerous because users or integrators may unknowingly transmit personal or device-identifying information to an external service, creating privacy, compliance, and trust risks.

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The skill requires a sensitive API key in an environment variable but does not warn against hardcoding, logging, or exposing that credential in examples and operational use. This increases the chance that developers mishandle the secret, especially since the document also includes copy-paste request examples using the key in headers.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal