Paperless-ngx Document Manager
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Paperless-ngx API wrapper, but it will have access to your Paperless token and potentially sensitive documents.
Install only if you are comfortable letting the agent use your Paperless-ngx token. Treat search results, OCR content, downloads, uploads, and any direct API edits as potentially sensitive, and require confirmation before bulk changes or deletion.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill should assume the agent can access whatever the configured Paperless token can access.
The skill requires a Paperless API token and URL, which is expected for the service but grants the agent delegated access to that Paperless account.
"PAPERLESS_URL": "http://your-paperless-host:8000", "PAPERLESS_TOKEN": "your-api-token"
Use a dedicated or least-privileged Paperless account/token if possible, and configure only a trusted Paperless URL.
Private document contents may be placed into the agent conversation or logs when you ask for document content.
The get command can return OCR text from documents, including full untruncated content when requested.
if (values.content) { ... result.content = content; }Retrieve only the documents and fields you need, and avoid using --full for highly sensitive documents unless necessary.
If used without care, direct API calls could change or delete document records in Paperless-ngx.
The advanced API reference documents direct mutation, deletion, and bulk-edit operations beyond the convenience scripts.
PATCH `/api/documents/{id}/` | Update document metadata | DELETE `/api/documents/{id}/` | Delete document ... Bulk edit documentsRequire clear user approval before update, delete, or bulk-edit operations, and prefer the narrower convenience scripts for routine tasks.
Downloaded files may overwrite local files if the chosen or derived output path already exists.
The download script writes files to a user-specified path or a filename derived from Paperless metadata.
const outputPath = values.output || join(process.cwd(), filename); await writeFile(outputPath, buffer);
Use an explicit safe output path for downloads and check before overwriting existing files.