didit-kyc-onboarding
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements a standard integration for the Didit identity verification service. All network communication is directed to the official vendor domains (
*.didit.me), which is consistent with the skill's stated purpose of identity verification. - [CREDENTIALS_UNSAFE]: The skill correctly handles authentication by requiring the
DIDIT_API_KEYto be provided via an environment variable. No hardcoded credentials or secrets were found in the source code or documentation. - [COMMAND_EXECUTION]: The provided Python script
scripts/run_kyc.pyis a standard CLI utility that uses therequestslibrary to interact with the Didit API. It does not perform any dangerous system commands, shell injections, or arbitrary code execution. - [DATA_EXFILTRATION]: Data transmission is limited to sending configuration parameters (like workflow labels) and user identifiers to the Didit API. Sensitive identity data (like document scans or selfies) is handled directly by the user via the generated verification URL on Didit's platform, rather than being processed or stored by the skill's local scripts.
- [EXTERNAL_DOWNLOADS]: The skill uses standard, well-known Python libraries (such as
requests) which are expected for its functionality. It does not perform any unverified remote script downloads or executions.
Audit Metadata