Didit Phone Verification
Analysis
The skill coherently uses a Didit API key to send and check phone verification codes, with disclosed external messaging and phone-data sharing that users should control carefully.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.
response = requests.post(f"{BASE_URL}/send/", headers=get_headers(), json=payload, timeout=30)The helper can trigger an external Didit send-code API call, which may contact a phone number and consume account credits; this is disclosed and central to the skill purpose.
Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.
api_key = os.environ.get("DIDIT_API_KEY") ... return {"x-api-key": api_key, "Content-Type": "application/json"}The skill uses the user's Didit API key to authenticate requests; that credential is expected for the service and is not hardcoded or logged in the shown code.
Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.
payload = {"phone_number": phone, "code": code, ...} ... BASE_URL = "https://verification.didit.me/v3/phone"Phone numbers and verification codes are sent to the external Didit provider for checking; this data flow is expected for OTP verification but involves sensitive user data.