Nanonets OCR
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only OCR skill is aligned with its stated purpose, but it sends documents to Nanonets and uses an API key, so sensitive files and credentials should be handled carefully.
Before installing, confirm the Nanonets endpoint is official, provide DOCSTRANGE_API_KEY through an environment variable or secret store, and avoid uploading confidential, regulated, or third-party documents unless you are comfortable sending them to Nanonets for processing.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Files processed with the skill may leave the local environment and be handled by Nanonets.
The documented workflow uploads a local document to an external Nanonets extraction endpoint. This is expected for OCR, but the documents may contain sensitive personal, financial, or business data.
curl -X POST "https://extraction-api.nanonets.com/api/v1/extract/sync" ... -F "file=@document.pdf"
Only upload documents you are allowed to send to Nanonets, and review the provider's privacy, retention, and compliance terms for sensitive documents.
If the API key is exposed or misused, someone could consume your Nanonets quota or access capabilities tied to that key.
The skill needs a Nanonets API key. That is purpose-aligned for a paid/authenticated extraction API, but it gives the agent access to that service account and quota.
"requiredEnv": [ "DOCSTRANGE_API_KEY" ], "primaryEnv": "DOCSTRANGE_API_KEY", "requiresCredentials": true
Store the key in an environment variable or secret store, avoid committing it to files, restrict its permissions if supported, and rotate it if it may have been exposed.
Users have less registry-level assurance about provenance and requirements before reading the artifact contents.
Registry-facing metadata omits source/homepage and credential declarations even though the skill documentation and package.json describe a Nanonets endpoint and DOCSTRANGE_API_KEY usage. This is a metadata/provenance gap rather than evidence of malicious behavior.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none
Verify the Nanonets endpoint and dashboard independently before entering an API key or uploading sensitive documents.