Nutrient Openclaw

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed document-processing integration that sends user-selected documents to Nutrient DWS, with no evidence of hidden or malicious behavior.

Install only if you are comfortable sending the documents you choose, or extracted content from them, to Nutrient DWS. Use a dedicated API key where possible, start with non-sensitive files, and review redaction, signing, and watermarking outputs before relying on them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 85% confidence
Finding: The skill declares a broad trigger on generic document-processing requests in OpenClaw chats, which can cause the skill to activate in situations where the user did not explicitly intend third-party document handling. Because this skill sends files or extracted content over the network to Nutrient DWS, over-broad activation increases the risk of accidental disclosure of sensitive documents or data to an external service.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal