NEXUS Changelog
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed paid hosted API skill for changelog generation; it does not install code or request local system access, but it sends inputs and payment proof to NEXUS and may incur per-request charges.
Install only if you are comfortable sending changelog inputs to NEXUS and paying for requests. Use the sandbox_test option first, avoid including secrets in commit text or descriptions, and set approval or budget limits before enabling live payments.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill with a live payment credential can spend funds for each request.
The skill is a paid service and may be invoked by the agent for matching tasks; this is disclosed, but it can still create per-request costs.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... $0.15 per request
Use the sandbox first and configure explicit approval or spend limits for paid invocations.
Your payment proof or payment authorization is shared with the NEXUS endpoint to access the service.
The skill requires and transmits a payment proof or payment credential to the NEXUS API, which is expected for this paid service.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... X-Payment-Proof: <masumi_payment_id>
Provide only the intended payment proof or sandbox value; do not store wallet private keys or unrelated credentials in this variable.
Commit messages, release notes, or descriptions you submit may leave your local environment and be processed by NEXUS models.
The skill sends the user’s changelog input to an external hosted AI service for processing.
All data is sent to `https://ai-service-hub-15.emergent.host` over HTTPS/TLS. ... uses LLM models ... server-side
Avoid sending secrets or private repository details unless you trust the NEXUS service and its retention claims.
You cannot independently inspect provider-side implementation from the registry metadata.
The registry metadata does not provide an inspectable source repository or homepage, so users must rely on the included instructions and hosted provider.
Source: unknown; Homepage: none
Verify the NEXUS service documentation and use the free sandbox before trusting it with private inputs or live payments.