nutrient-openclaw
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill is authored by the vendor (Jonathan Rhyne, CEO of Nutrient) and connects to official infrastructure (nutrient.io). No malicious patterns, obfuscation, or unauthorized access attempts were detected.
- [EXTERNAL_DOWNLOADS]: The skill installs the
@nutrient-sdk/nutrient-openclawpackage from the official npm registry. This is a scoped package from a well-known vendor required for core functionality. - [DATA_EXFILTRATION]: Documents are sent to Nutrient's hosted Processor API for transformation and analysis. This is the primary function of the skill and is disclosed in the documentation with links to security and privacy policies.
- [PROMPT_INJECTION]: This skill processes untrusted document data, creating a surface for indirect prompt injection. While no malicious behavior is present, the capability exists due to the nature of document processing.
- Ingestion points: Document files processed via tools such as
nutrient_convert_to_pdfandnutrient_extract_text. - Boundary markers: None specified in the instructions.
- Capability inventory: Document conversion, OCR, text extraction, PII redaction, digital signing, and watermarking.
- Sanitization: Processing is delegated to the external Nutrient DWS API.
Audit Metadata