NEXUS Code Review
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed paid external code-review service, but it can involve crypto/payment spending and is documented as automatically invoked without a clear per-request approval or budget limit.
Review this skill before installing if you plan to use real payments. Prefer the sandbox mode for testing, require explicit approval before paid calls, set a spending limit, and do not submit proprietary code or secrets unless you trust NEXUS and accept its data-handling practices.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If connected to a real payment proof or wallet workflow, the agent could incur charges when it decides a task matches the skill.
Automatic invocation combined with per-request billing creates a risk of unintended paid calls. The artifacts disclose pricing, but they do not specify a required user confirmation, budget cap, or retry limit before spending.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... Pricing ... $0.25 per request
Require explicit user approval before any paid request, set a budget or rate limit, and use the sandbox payment proof for testing.
A real payment proof may allow service usage or consume paid entitlement if reused by the agent.
The skill requires a payment proof credential and sends it to the NEXUS API. This is expected for the paid service, but it is still a credential-like value that authorizes use of the service.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... -H "X-Payment-Proof: $NEXUS_PAYMENT_PROOF"
Use a scoped or test payment proof where possible, avoid storing wallet secrets in this variable, and rotate the proof if it is exposed.
Private code or embedded secrets may leave the local environment and be processed by the provider.
The skill clearly sends code-review input to an external hosted AI service. This is purpose-aligned and disclosed, but code review inputs can contain proprietary code, secrets, or sensitive implementation details.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Only use this with code you are allowed to share, remove secrets before submitting, and rely on the provider only if you accept its data-handling terms.