identity-verification-didit
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFE
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes instructions to retrieve API keys from the sensitive local path
~/.gooseworks/credentials.json. This is the standard method for configuring credentials in the Gooseworks agent ecosystem. - [COMMAND_EXECUTION]: Setup examples use
python3 -csnippets to parse the local configuration file and set environment variables. These commands are transparent and limited to initialization tasks. - [DATA_EXFILTRATION]: The skill transmits highly sensitive personally identifiable information (PII), including identification numbers, birth dates, and residential addresses, to
api.gooseworks.ai. This behavior is intrinsic to the skill's primary function of identity verification. - [PROMPT_INJECTION]: As the skill ingests and processes untrusted user data, it contains a surface for indirect prompt injection.
- Ingestion points: Data fields like
full_name,address, andvendor_datainSKILL.md. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the examples.
- Capability inventory:
curlcommands are used for network communication with the API base. - Sanitization: No explicit sanitization or validation logic is shown in the usage examples.
Audit Metadata