self-xyz

[Skill Scanner] Installation of third-party script detected No evidence in the provided documentation of malware or malicious behavior. The instructions, inputs, and outputs are consistent with a legitimate identity verification integration using zk proofs. Primary residual risk arises from trusting the external @selfxyz npm packages (which are not included here) and from potential developer misconfiguration (accidentally exposing dev endpoints, enabling mock passports in production, or insufficient auth/logging practices). Recommend auditing the @selfxyz packages' implementation and ensuring production hardening (HTTPS, authentication, input validation, and no logging of sensitive proof material). LLM verification: No direct malicious payloads or explicit data-exfiltration code are present in this provided skill documentation. The dominant risks are: 1) supply-chain risk from unpinned third-party npm dependencies (@selfxyz/*) whose runtime behavior is not shown here; 2) operational misconfiguration (leaving mockPassport enabled, mismatched scope/endpoint, wrong network addresses) which can lead to authentication bypasses or failed verifications; and 3) lack of visibility into the verifier implementation (p