Back to skill

Security audit

Nudocs

Security checks across malware telemetry and agentic risk

Overview

This skill is a clear Nudocs.ai document integration, but users should be careful because it can upload, share, download, list, and delete cloud documents.

Install only if you trust Nudocs.ai and the @nutrient-sdk/nudocs-cli package. Treat uploaded files and returned links as sensitive, avoid using it for documents you do not intend to send to Nudocs.ai, and explicitly confirm document IDs before pull, link, or delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger list includes vague phrases such as "pull it back," "get that doc," "grab the updated version," "what did I change," "share link," and "where's that doc." These lack clear Nudocs-specific context, so they could cause unintended activation during normal document-related conversations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The command list includes `nudocs delete <ulid>`, which is a destructive operation, but the markdown provides no warning, confirmation guidance, or cautionary note about permanent document removal. For markdown files, potentially destructive behavior should be disclosed so users understand the risk to their data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.