Nutrient Document Processing (Universal Agent Skill)
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a legitimate document-processing skill, but users should notice that it sends documents to Nutrient’s cloud API, uses an API key, and can install an MCP server package from npm.
This skill looks purpose-aligned for cloud document processing. Before installing, make sure you are comfortable sending chosen documents to Nutrient, protect the API key and any MCP config file containing it, and consider pinning or reviewing the npm MCP server package for sensitive deployments.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Documents processed with this skill may leave the local environment and be handled by Nutrient’s cloud service.
The skill clearly discloses that selected documents are uploaded to an external processing API, which is purpose-aligned but important for privacy-sensitive files.
This skill sends documents to the Nutrient DWS API (`api.nutrient.io`) for processing. Documents may contain sensitive data
Only process documents you are allowed to send to Nutrient, and review Nutrient account, retention, and compliance settings before using it on sensitive material.
Anyone with access to the configured key may be able to use the associated Nutrient account for API requests.
The skill requires a service API key to make document-processing calls; this is expected for the stated integration but grants access to the user’s Nutrient account and credits.
You need a Nutrient DWS API key
Use a dedicated or least-privileged API key where possible, keep it out of shared files, and rotate it if it may have been exposed.
The installed MCP server code comes from npm at setup/runtime, so future package changes could affect behavior.
The recommended MCP setup downloads and runs an npm package at runtime. This is aligned with the MCP-based purpose, but the artifact does not pin a package version.
"command": "npx", "args": ["-y", "@nutrient-sdk/dws-mcp-server"]
Prefer a pinned package version or a reviewed installation source if using this in a sensitive environment.
A user may leave the API key stored in an MCP configuration file longer than expected.
The MCP setup example places the API key in a client configuration file, while the safety text says credentials are not stored beyond the current session. This is likely a documentation imprecision rather than hidden behavior, but users should not assume the config file is non-persistent.
"NUTRIENT_DWS_API_KEY": "YOUR_API_KEY" ... It does NOT store API keys or credentials beyond the current session.
Store the key using a secure environment-variable or secrets mechanism when possible, and protect any MCP config file that contains the key.