Didit Phone Verification
PassAudited by ClawScan on May 1, 2026.
Overview
The skill coherently uses a Didit API key to send and check phone verification codes, with disclosed external messaging and phone-data sharing that users should control carefully.
Before installing, make sure you trust Didit for phone verification data, configure DIDIT_API_KEY securely, and require clear user confirmation before sending codes or using any optional account setup or credit top-up instructions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can send real verification messages or calls to phone numbers.
The helper can trigger an external Didit send-code API call, which may contact a phone number and consume account credits; this is disclosed and central to the skill purpose.
response = requests.post(f"{BASE_URL}/send/", headers=get_headers(), json=payload, timeout=30)Only send codes to numbers the user is authorized to verify, and confirm the number and delivery channel before sending.
Anyone with the configured API key could use the associated Didit account's phone verification capabilities and credits.
The skill uses the user's Didit API key to authenticate requests; that credential is expected for the service and is not hardcoded or logged in the shown code.
api_key = os.environ.get("DIDIT_API_KEY") ... return {"x-api-key": api_key, "Content-Type": "application/json"}Store the API key securely as an environment variable, use the least-privileged key available, and rotate it if it is exposed.
Phone numbers, OTP codes, and optional session identifiers may leave the local environment and be processed by Didit.
Phone numbers and verification codes are sent to the external Didit provider for checking; this data flow is expected for OTP verification but involves sensitive user data.
payload = {"phone_number": phone, "code": code, ...} ... BASE_URL = "https://verification.didit.me/v3/phone"Use the skill only with user consent, avoid sending unnecessary identifiers in vendor_data, and review Didit's data handling policies if this is used for production verification.