Paperless-ngx Document Manager
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: paperless-docs Version: 1.0.0 The skill bundle provides a set of Node.js scripts for managing documents in Paperless-ngx via its REST API. All scripts correctly utilize `PAPERLESS_URL` and `PAPERLESS_TOKEN` environment variables for authentication and API interaction. File system access is limited to reading user-specified files for upload (`scripts/upload.mjs`) and writing downloaded documents to user-specified or current directory paths (`scripts/download.mjs`), which are legitimate functions for a document management skill. The `SKILL.md` and `references/api.md` files serve as documentation and do not contain any prompt injection attempts or instructions for malicious actions. There is no evidence of data exfiltration, unauthorized execution, persistence, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill should assume the agent can access whatever the configured Paperless token can access.
The skill requires a Paperless API token and URL, which is expected for the service but grants the agent delegated access to that Paperless account.
"PAPERLESS_URL": "http://your-paperless-host:8000", "PAPERLESS_TOKEN": "your-api-token"
Use a dedicated or least-privileged Paperless account/token if possible, and configure only a trusted Paperless URL.
Private document contents may be placed into the agent conversation or logs when you ask for document content.
The get command can return OCR text from documents, including full untruncated content when requested.
if (values.content) { ... result.content = content; }Retrieve only the documents and fields you need, and avoid using --full for highly sensitive documents unless necessary.
If used without care, direct API calls could change or delete document records in Paperless-ngx.
The advanced API reference documents direct mutation, deletion, and bulk-edit operations beyond the convenience scripts.
PATCH `/api/documents/{id}/` | Update document metadata | DELETE `/api/documents/{id}/` | Delete document ... Bulk edit documentsRequire clear user approval before update, delete, or bulk-edit operations, and prefer the narrower convenience scripts for routine tasks.
Downloaded files may overwrite local files if the chosen or derived output path already exists.
The download script writes files to a user-specified path or a filename derived from Paperless metadata.
const outputPath = values.output || join(process.cwd(), filename); await writeFile(outputPath, buffer);
Use an explicit safe output path for downloads and check before overwriting existing files.