NEXUS Commit Message
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This paid remote commit-message generator is mostly disclosed, but it can be automatically invoked and paid per request, so users should review spending and data-sharing controls.
Install only if you trust NEXUS with your diffs and payment proof. Prefer sandbox_test or a low-limit payment credential, require confirmation before paid calls, and avoid sending diffs that contain secrets, private keys, or regulated data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Repeated or unintended matching tasks could spend payment credits or cryptocurrency-backed funds.
Automatic invocation combined with per-request pricing and purchase capability means matching tasks could trigger paid remote calls without an artifact-shown confirmation or budget control.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... ## Pricing - **$0.05** per request
Use sandbox mode or a tightly limited payment proof, and configure the agent to ask for confirmation before any paid request.
Anyone or any agent action using this credential may be able to consume the paid service or reveal payment identifiers.
The skill requires a payment proof credential and sends it to the NEXUS service; this is expected for the paid API, but it is still delegated payment/account authority.
requires: env: [NEXUS_PAYMENT_PROOF] ... - `X-Payment-Proof: <masumi_payment_id>`
Use a least-privilege or low-value payment proof, avoid sharing it broadly, and rotate it if exposed.
Private code changes, secrets accidentally included in diffs, or business context may leave the local environment.
The commit diff or input is sent to an external NEXUS AI service for processing; this is disclosed and purpose-aligned, but code diffs can contain secrets or private intellectual property.
All data is sent to `https://ai-service-hub-15.emergent.host` over HTTPS/TLS.
Review diffs before use, avoid sending secrets or regulated data, and install only if you trust NEXUS as a processing provider.
Users have less independent context for verifying who maintains the skill and whether the listed service instructions match the published registry entry.
The registry metadata does not provide a verifiable source or homepage, and the submitted SKILL.md declares a different version, making provenance tracking less clear.
Source: unknown; Homepage: none; Version: 1.1.0
Verify the provider and endpoint out of band before relying on the skill for paid or private-code workflows.