Nutrient Document Processing (Universal Agent Skill)
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: nutrient-document-processing-universal Version: 1.1.2 The skill is a legitimate integration for the Nutrient (formerly PSPDFKit) Document Processing API. It provides instructions for document conversion, OCR, and redaction using either a standard MCP server (@nutrient-sdk/dws-mcp-server) or direct curl commands to api.nutrient.io. The documentation is transparent about data being sent to the external API and follows standard security practices for agent skills.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Documents processed with this skill may leave the local environment and be handled by Nutrient’s cloud service.
The skill clearly discloses that selected documents are uploaded to an external processing API, which is purpose-aligned but important for privacy-sensitive files.
This skill sends documents to the Nutrient DWS API (`api.nutrient.io`) for processing. Documents may contain sensitive data
Only process documents you are allowed to send to Nutrient, and review Nutrient account, retention, and compliance settings before using it on sensitive material.
Anyone with access to the configured key may be able to use the associated Nutrient account for API requests.
The skill requires a service API key to make document-processing calls; this is expected for the stated integration but grants access to the user’s Nutrient account and credits.
You need a Nutrient DWS API key
Use a dedicated or least-privileged API key where possible, keep it out of shared files, and rotate it if it may have been exposed.
The installed MCP server code comes from npm at setup/runtime, so future package changes could affect behavior.
The recommended MCP setup downloads and runs an npm package at runtime. This is aligned with the MCP-based purpose, but the artifact does not pin a package version.
"command": "npx", "args": ["-y", "@nutrient-sdk/dws-mcp-server"]
Prefer a pinned package version or a reviewed installation source if using this in a sensitive environment.
A user may leave the API key stored in an MCP configuration file longer than expected.
The MCP setup example places the API key in a client configuration file, while the safety text says credentials are not stored beyond the current session. This is likely a documentation imprecision rather than hidden behavior, but users should not assume the config file is non-persistent.
"NUTRIENT_DWS_API_KEY": "YOUR_API_KEY" ... It does NOT store API keys or credentials beyond the current session.
Store the key using a secure environment-variable or secrets mechanism when possible, and protect any MCP config file that contains the key.