Back to skill
Skillv4.1.0
ClawScan security
Didit Verification Management · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 5:14 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, runtime instructions, and included scripts are consistent with a Didit platform administration helper and do not request unrelated credentials or perform unexpected actions.
- Guidance
- This skill appears coherent for administering a Didit account. Before installing: (1) Verify you trust the skill owner since the registry entry lacks a homepage/source link; (2) Never paste production API keys or long-lived secrets into a skill you haven't audited—use a dedicated DIDIT API key with minimal privileges; (3) Be aware the setup script prints API keys to stdout (avoid running in shared/logged environments); (4) If you need webhook signature verification or other advanced features, confirm the skill provides those implementations or add them yourself; (5) If you want extra caution, restrict this skill's use to non-autonomous invocation or run it in an isolated environment.
Review Dimensions
- Purpose & Capability
- noteThe name/description (Didit management) matches the actions implemented in the scripts and SKILL.md (account registration, sessions, workflows, billing). Minor metadata oddities: metadata.primaryEnv is set to DIDIT_API_KEY while the declared requires.env list is empty, the registry entry has no homepage/source URL, and the SKILL.md advertises broader webhook handling than the provided example scripts implement. These are not security-critical but worth noting.
- Instruction Scope
- okSKILL.md and the three scripts confine themselves to HTTP calls to Didit endpoints and local printing. They require DIDIT_API_KEY for management APIs and do programmatic registration/login flows as described. There are no instructions to read unrelated host files, secrets, or to send data to third-party endpoints beyond Didit's documented APIs.
- Install Mechanism
- okNo install spec is present (instruction-only plus included helper scripts). Nothing is downloaded or written to disk by an installer step, so the install mechanism presents low risk.
- Credentials
- okThe only sensitive runtime secret used is DIDIT_API_KEY, which is appropriate for a management skill. The account setup script does not require environment variables (as expected). No unrelated credentials, system config paths, or broad secrets are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent elevated privileges or modify other skills or system-wide agent configuration. It follows normal, limited agent skill behavior.