Skip to content

Commit 4d15057

Browse files
jdrhynejdrhyne
authored
Merge pull request #5 from PSPDFKit-labs/chore/security-hardening-skill-md
docs(skill): security hardening addendum for nutrient-document-processing
2 parents 2011d6b + d631593 commit 4d15057

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

nutrient-document-processing/SKILL.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -117,3 +117,14 @@ Read only what you need:
117117
- Do not log secrets.
118118
- All client methods are async and should run via `asyncio.run(main())`.
119119
- If import fails, install dependency with `uv add nutrient-dws`.
120+
121+
## Security Hardening Addendum
122+
123+
- Prefer a pinned, preinstalled MCP server binary over runtime package fetches.
124+
- Preferred: `npm i -g @nutrient-sdk/dws-mcp-server@<pinned-version>`
125+
- Avoid unpinned runtime fetch in production paths.
126+
- Never store `NUTRIENT_DWS_API_KEY` in committed JSON config files.
127+
- Use process env injection at runtime (shell/export, secrets manager, or host env).
128+
- Restrict file access with `SANDBOX_PATH` to the minimum required working directory.
129+
- Before enabling MCP mode in production, verify package provenance and lock version.
130+

0 commit comments

Comments
 (0)