ClawHub
Back to skill
v1.1.0

Didit Proof Of Address

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:41 AM.

Analysis

The skill appears purpose-aligned for Didit proof-of-address checks, but users should know it uploads sensitive address documents to Didit using their API key.

GuidanceThis looks like a straightforward Didit proof-of-address helper. Before installing, make sure you trust the publisher, provide only a Didit API key you intend to use for this purpose, and confirm with the user before uploading any utility bill, bank statement, or government document.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceMediumStatusNote
metadata
Source: unknown

The registry does not identify a source repository or verified publisher, which matters because the skill handles API credentials and sensitive identity/address documents.

User impactUsers have less provenance information for deciding whether to trust the integration with their Didit key and documents.
RecommendationReview the included script and prefer an official or otherwise trusted source before installation in sensitive workflows.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/verify_address.py
api_key = os.environ.get("DIDIT_API_KEY") ... headers={"x-api-key": api_key}

The script uses the user's Didit API key to authenticate requests to the proof-of-address API, which is expected for this integration but still grants account/API usage authority.

User impactUsing the skill may consume Didit API credits or expose verification activity under the user's Didit account.
RecommendationUse a scoped Didit API key if available, keep the key out of chat/logs, and rotate it if it is accidentally exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusNote
scripts/verify_address.py
files = {"document": (os.path.basename(document_path), f, mime)} ... requests.post(ENDPOINT, headers={"x-api-key": api_key}, files=files, data=data, timeout=60)

The selected proof-of-address document is uploaded to the external Didit verification service; this is central to the skill but involves sensitive personal documents.

User impactUtility bills, bank statements, or government documents may leave the local environment and be processed by Didit.
RecommendationOnly upload documents the user explicitly wants verified, confirm Didit's privacy/retention terms, and avoid submitting unrelated files.