Safety Report

Nudocs

Name: Nudocs
Author: jdrhyne

Upload, edit, and export documents via Nudocs.ai. Use when creating shareable document links for collaborative editing, uploading markdown/docs to Nudocs for rich editing, or pulling back edited content. Triggers on "send to nudocs", "upload to nudocs", "edit in nudocs", "pull from nudocs", "get the nudocs link", "show my nudocs documents".

1,704Downloads

3Installs

0Stars

3Versions

Workflow Automation3,323 PDF & Documents1,388 Documentation1,163 Networking & DNS1,102

Security Analysis

high confidence

Clean0.04 risk

The skill's requirements and instructions are consistent with its stated purpose: it calls a nudocs CLI and needs a Nudocs API key/config file to upload, list, link, pull, and delete documents.

Feb 13, 20263 files1 concern

Purpose & Capabilityok

Name/description (upload/edit/export via Nudocs.ai) match the declared dependencies: a 'nudocs' CLI binary, an NUDOCS_API_KEY environment variable, and a Nudocs config file path. The npm package cited (@nutrient-sdk/nudocs-cli) and GitHub repo correspond to the CLI.

Instruction Scopeok

SKILL.md instructs only CLI actions (upload, list, link, pull, delete, config) and how to supply an API key. It does not ask for unrelated files, system credentials, or hidden network endpoints; it only reads/writes the expected document files and the configured Nudocs API key.

Install Mechanismnote

Installation uses a public npm package (@nutrient-sdk/nudocs-cli) which is a reasonable delivery for a CLI. npm packages can run install-time scripts, so verify the package source/maintainer and prefer installing from a reviewed publisher or pinned version. The provided GitHub repo points to PSPDFKit/nudocs-cli, which aligns with the package metadata.

Credentialsok

The single required secret (NUDOCS_API_KEY) and a single user config file (~/.config/nudocs/api_key) are proportional to a service-integration skill. No unrelated credentials or broad system secrets are requested.

Persistence & Privilegeok

The skill does not request 'always: true' or any elevated persistent presence. It installs a CLI binary (nudocs) into the environment when the npm package is installed, which is expected for a CLI-based integration and does not modify other skills or system-wide agent settings.

Guidance

This skill looks internally consistent, but take these practical precautions before installing: 1) Verify the npm package and GitHub repo (publisher, recent commits, issues) match the official Nudocs/PSPDFKit sources and pin a specific version. 2) Treat NUDOCS_API_KEY like any API secret—provide the minimum-privilege key, store it in your secrets manager, and rotate if needed. 3) Remember global npm installs can run arbitrary code at install time—review package install scripts if you will run npm install -g. 4) Consider installing and testing the CLI in an isolated environment (container or VM) first. 5) The agent can invoke this skill autonomously (platform default); if you want to limit that, control agent invocation settings in your platform rather than relying on the skill. If you need higher assurance, ask the skill author for a checksum or signed release or review the CLI source before installing.

Latest Release

v1.2.0

Fix scanner flags: declare ~/.config/nudocs/api_key config path, link npm package to GitHub repo for provenance

More by @jdrhyne

JIRA

11 stars

Munger Observer

2 stars

Nutrient Openclaw

2 stars

Context Recovery

2 stars

Gong

0 stars

Nutrient Document Processing (Universal Agent Skill)

0 stars

Published by @jdrhyne on ClawHub