Nudocs

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Nudocs.ai integration, but users should be careful because it can upload, share, download, list, and delete cloud documents using a Nudocs API key.

Install only if you trust Nudocs.ai and the @nutrient-sdk/nudocs-cli package. Treat uploaded files and returned links as sensitive, avoid using it for documents you do not intend to send to Nudocs.ai, and explicitly confirm document IDs before pull, link, or delete operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger phrases include very generic language such as "share link," "get that doc," "where's that doc," and "what did I change," which can match normal conversation unrelated to Nudocs. In an agent setting, accidental invocation can cause unintended uploads, downloads, or document lookups against an external service, creating data exposure and workflow confusion.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises upload, pull, link sharing, and delete capabilities but does not clearly warn that content will be transmitted to a third-party service and that delete operations can remove remote documents. Without explicit consent and safety language, users may unknowingly expose sensitive data externally or trigger destructive actions they did not fully understand.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal