NEXUS Code Explain
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This code-explainer is transparent about using a paid external AI API, but its instructions include payment flows without clear per-use approval or spending limits.
Use this skill only if you are comfortable sending code to NEXUS and paying per request. Before enabling real payments, configure sandbox/testing first, set an external budget or approval process, and avoid submitting confidential code unless you trust the provider’s privacy practices.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A matching code-explanation request could result in a paid call or crypto/stablecoin transfer without a clear per-use confirmation step.
The normal workflow directs the agent to make a crypto/stablecoin payment. The artifacts disclose the advertised price, but they do not require explicit user confirmation, a spending cap, or verification that the payment challenge matches the advertised $0.05/request before paying.
Send payment to the `payTo` address for `maxAmountRequired` ... Retry with `X-PAYMENT: <base64url JSON ...>`
Require explicit user approval before any payment, default to sandbox mode unless the user opts in, validate `maxAmountRequired` against the advertised price, and support per-user spending limits.
If the payment proof is exposed or reused incorrectly, someone else may be able to use the paid service or learn payment-related information.
The skill requires a payment proof credential and sends it as a request header to the NEXUS service. This is expected for a paid API, but it is still sensitive authority.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... `X-Payment-Proof: <masumi_payment_id>`
Use the sandbox proof for testing, store real payment proofs securely, avoid sharing logs that include headers, and rotate or revoke credentials when possible.
Sensitive source code or internal context included in the prompt will be transmitted to the NEXUS service.
The skill clearly discloses that code or query text is sent to an external provider and processed server-side. This is aligned with the purpose, but private or proprietary code may leave the local environment.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Only send code you are allowed to share with this provider, and review the provider’s retention and privacy terms before using it for confidential projects.
Users have limited registry-level information for verifying who operates the service and how it is maintained.
The registry metadata does not provide a source repository or homepage for independent provenance review. Because the skill is instruction-only, local install risk is limited, but users must still trust the referenced external service.
Source: unknown Homepage: none
Install only if you trust the NEXUS service endpoint, and prefer a package that links to clear documentation, source provenance, and service terms.