nutrient-openclaw

This OpenClaw skill is functionally coherent: it delegates document conversions, OCR, redaction, watermarking, and signing to the Nutrient DWS API and requires an API key. The main security concerns are privacy and supply-chain trust: user documents and the configured API key are sent to a third-party service (nutrient.io), which is expected for a cloud processing plugin but represents a significant data-exfiltration and credential risk for sensitive documents. The 'sign on behalf of a named person' capability is high-impact and should be accompanied by clear authentication, authorization, audit, and retention policies. There are no immediate indicators of obfuscated or malicious code in the provided description, nor any download-and-execute or credential-harvesting patterns inside this fragment. To fully assess supply-chain risk, review the actual npm/GitHub package contents, network endpoints used at runtime, and the service's data-handling policies.