ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NEXUS Code Review

v1.0.0

Security, performance, and style analysis for code

0· 186·0 current·0 all-time
by@cyberforexblockchain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (code review) matches the instructions (POST code to a remote code-review API). Requiring a payment proof credential for a paid API is reasonable. However the skill has no source/homepage provenance beyond the emergent.host endpoint, which reduces trust and should be verified.
!
Instruction Scope
Runtime instructions send the user's input (code) to an external endpoint (https://ai-service-hub-15.emergent.host) with the X-Payment-Proof header. There is no guidance to strip secrets or redact sensitive values before sending code; sensitive data in submitted code (API keys, private keys, PII) could be exfiltrated. The skill claims no permanent storage, but that is an unverifiable assertion.
Install Mechanism
No install spec and no code files — instruction-only skill — so nothing is downloaded or written by the installer. This minimizes filesystem and executable risk.
!
Credentials
Only one required env var (NEXUS_PAYMENT_PROOF) is declared and is appropriate for a paid API. However, storing a payment credential in the agent environment combined with network permission means the agent/skill can use it to make paid requests autonomously, potentially incurring charges without explicit user approval.
!
Persistence & Privilege
The skill is not marked always:true (good), but it allows network access and the platform default permits autonomous invocation. When combined with the payment credential, autonomous invocation increases risk of unexpected charges or of automated exfiltration of code. There is no indication the skill modifies other skill settings.
What to consider before installing
This skill appears to do what it says (send code to a paid remote code-review API), but exercise caution before installing: - Verify the service and operator: check the emergent.host domain and any independent documentation or reputation for the NEXUS platform before trusting it with code. - Don’t put your real payment proof or long-lived secrets in an environment variable while testing; use sandbox_test or a throwaway payment proof first. - Avoid sending sensitive code or credentials to the service. Manually remove or redact API keys, private keys, PII, or any secrets from code before invoking the skill. - Disable or restrict autonomous invocation (if your platform allows) so the agent cannot call the paid API without your explicit action, preventing unexpected charges. - Start by sending a small non-sensitive sample request and verify the response, rate limits, and any billing behavior. - If you need stronger privacy guarantees, prefer an offline or self-hosted code-review tool. If you can confirm the service operator and are comfortable with the privacy/billing model, the skill is usable; otherwise treat it as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dtkq9qg7t84p74vk8zpq67982rna9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvNEXUS_PAYMENT_PROOF
Primary envNEXUS_PAYMENT_PROOF

Comments