ClawHub

Civic Nexus

v0.1.0

Connect to Civic Nexus MCP for 100+ integrations.

0· 329·2 current·2 all-time
by@civictechuser
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask to connect to Civic Nexus and the skill requires NEXUS_URL/NEXUS_TOKEN and either mcporter or npx to run a fallback script — these map directly to the stated capability. The included TypeScript runner and package.json list the MCP SDK and tsx runtime which are appropriate for the task.
Instruction Scope
SKILL.md stays on-task (use mcporter or the included script to list/search/call Nexus tools). It instructs storing NEXUS_URL/NEXUS_TOKEN in the agent config and how to run OAuth flows; nothing in the instructions asks the agent to read unrelated files or exfiltrate data. Note: by design the agent can call arbitrary Nexus tools (Gmail, DBs, Box, etc.), so runtime activity may reach many downstream services depending on the Nexus token.
Install Mechanism
No arbitrary download/install step is present. The skill is instruction-oriented and includes a runnable TypeScript script plus package.json/pnpm lock (dependencies come from npm). Running the fallback uses npx/tsx which will pull packages from the npm registry — a standard, traceable mechanism (moderate risk compared to local-only instructions but expected here).
Credentials
The only required environment variables are NEXUS_URL and NEXUS_TOKEN (primary credential), which are appropriate for connecting to an MCP. However, a single Nexus token can grant broad access to many downstream integrations (Gmail, databases, Box, etc.), so granting this secret is powerful — this is expected for a Nexus bridge but worth explicit caution.
Persistence & Privilege
always is false and the skill does not request system-wide configuration changes. It asks you to add its env values to your OpenClaw config (normal for skills). It does not modify other skills or request elevated persistent privileges.
Assessment
This skill appears to do what it says, but before installing, verify you trust nexus.civic.com and the source of this package. NEXUS_TOKEN grants the skill access to potentially many downstream services (Gmail, databases, Box, etc.), so treat it as a high-value credential: use the least-privilege token possible, prefer short-lived or revocable tokens, and store it in a secure place. If you plan to run the fallback TypeScript runner, be aware that npx/tsx will fetch packages from npm at runtime — run it in an environment where remote package fetching is acceptable. If you have concerns, test in an isolated account or sandbox, audit the token's permissions on the Nexus side, and consider rotating the token after first use.

Like a lobster shell, security has layers — review code before you run it.

latestvk970fycartfyzjykw2fcafa00n8236n6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binmcporter, npx
EnvNEXUS_URL, NEXUS_TOKEN
Primary envNEXUS_TOKEN

Comments