Nudocs
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user’s documents may be uploaded to Nudocs, shared through edit links, downloaded back, listed, or deleted if the corresponding command is used.
The skill exposes CLI actions that can upload documents, list account documents, download/export documents, and delete documents. These actions fit the Nudocs purpose, but they can affect cloud-hosted user content.
nudocs upload <file> ... nudocs list ... nudocs pull [ulid] ... nudocs delete <ulid>
Use the skill for intended Nudocs tasks, and confirm before sharing sensitive documents or deleting any document.
Anyone with access to the configured API key may be able to use the user’s Nudocs account through the CLI.
The skill requires a Nudocs API key, either from an environment variable or a local config file. This is expected for the Nudocs service integration but gives the CLI account-level access according to that key’s permissions.
export NUDOCS_API_KEY="nudocs_your_key_here" ... echo "nudocs_your_key_here" > ~/.config/nudocs/api_key
Store the API key securely, avoid sharing logs or shell history containing it, and revoke or rotate the key if it is exposed.
Installing the skill requires trusting the external npm package that implements the CLI.
The skill depends on an external npm package that provides the nudocs binary. This is disclosed and central to the skill’s function.
node | package: @nutrient-sdk/nudocs-cli | creates binaries: nudocs
Install the documented package from the expected source and keep it updated through normal package-management practices.