Is jdrhyne/nutrient-openclaw safe?
https://github.com/openclaw/skills/tree/main/skills/jdrhyne/nutrient-openclaw
The jdrhyne/nutrient-openclaw skill is a clean documentation-only SKILL.md with no executable code, no prompt injection, and no hidden malicious instructions. The primary risk is inherent to its purpose: all document processing routes through the third-party Nutrient DWS API, meaning sensitive document content leaves the user's environment. The referenced npm plugin package (@nutrient-sdk/nutrient-openclaw) was not installed during this audit and requires separate review before deployment. Canary file accesses observed in monitoring are attributable to the oathe audit infrastructure's own baseline and post-install integrity checks, not to skill code.
Category Scores
Findings (7)
MEDIUM Sensitive credential files accessed during audit window -20 ▶
Six high-value credential files were opened and read during the audit period: .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud application_default_credentials.json. These accesses occurred at two audit timestamps (pre-clone baseline at 1771926508.711 and post-install check at 1771926526.544). Timing and CLOSE_NOWRITE disposition strongly indicate these reads originate from the oathe audit infrastructure itself rather than from skill code. The SKILL.md file contains no executable code capable of performing file I/O. Canary integrity system confirms files are intact.
MEDIUM All document content routed through third-party Nutrient DWS API 0 ▶
Every document processed by this skill — including PDFs containing PII, financial data, legal contracts, or medical records — is transmitted to nutrient.io's cloud API. This is the intended and documented behavior, but users should understand that document content leaves their environment. There is no evidence of additional hidden endpoints, but the Nutrient API's own data retention, logging, and security posture are outside this audit scope.
MEDIUM Referenced npm package @nutrient-sdk/nutrient-openclaw not audited -4 ▶
The skill's install metadata specifies an npm package installation step: openclaw plugins install @nutrient-sdk/nutrient-openclaw. This package was not fetched or installed during this audit. npm packages can execute arbitrary code via preinstall/postinstall lifecycle hooks at install time and at runtime. The package's install scripts, dependencies, and runtime behavior require separate security review before deployment.
LOW Digital signature tool enables identity impersonation -12 ▶
The nutrient_sign tool example prompt is 'Sign this contract as Jonathan Rhyne'. In a live agent context, a malicious user could craft prompts to have the agent sign documents as a specific named individual, organization officer, or authority figure. While the skill itself does not instruct the agent to do this, the tool's natural-language trigger makes it susceptible to social engineering for fraudulent document signing.
LOW PII sent to third-party AI endpoint before redaction applied -8 ▶
The nutrient_ai_redact tool performs AI-powered PII detection but must first transmit the unredacted document to Nutrient's AI backend for analysis. This creates a window where full PII-containing content reaches a third-party AI system, even when the stated goal is redaction. Users expecting zero-knowledge redaction may not realize this.
LOW Minimal filesystem footprint — only expected files installed 0 ▶
Post-install baseline diff shows exactly two files added to the skill directory: _meta.json and SKILL.md. No files were written outside the designated skill directory. No unexpected binaries, scripts, or configuration files were created.
INFO SKILL.md content is clean documentation with no injection patterns -3 ▶
Full review of SKILL.md found no prompt injection vectors: no 'ignore previous instructions', no persona overrides, no hidden unicode or HTML comment tricks, no instructions to suppress output, no unexpected permission requests, no external URL fetch instructions embedded in the skill body.