NEXUS Cron Builder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only cron helper is transparent about using a paid external API, but it can trigger paid crypto-based requests without a documented per-use approval or spending limit.
Install only if you trust NEXUS as a paid external AI provider. Before enabling it, use sandbox_test or a tightly limited payment proof, require confirmation before paid requests, and avoid sending sensitive infrastructure details in cron prompts.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could incur repeated small charges for routine cron-expression tasks if payment credentials are configured.
Automatic invocation combined with per-request pricing means normal matching tasks could trigger paid API usage. The artifacts do not document a required user confirmation, spend cap, or approval gate before paid requests.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... **$0.05** per request
Use the sandbox mode where possible, require manual confirmation before paid calls, and set an external budget or prepaid limit before enabling autonomous use.
If configured with a reusable payment proof or credential, the skill may be able to authorize paid requests beyond a single manual action.
The skill requires or uses payment credentials/proofs and supports payment authorization headers, giving it delegated authority to access a paid service.
requires: env: [NEXUS_PAYMENT_PROOF] ... - `X-PAYMENT: <base64url JSON>` - `Authorization: Payment <credential>` - `X-Payment-Proof: <masumi_payment_id>`
Prefer one-time, prepaid, or tightly scoped payment proofs; do not provide wallet private keys; and review each payment flow before allowing the agent to proceed.
Cron questions, schedules, service names, or operational details included in prompts may be shared with the external provider.
The skill clearly discloses that user input leaves the local agent and is processed by a hosted AI service.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Avoid sending sensitive infrastructure details unless you trust the NEXUS service and its retention/privacy practices.
Users have less registry-level provenance information to confirm who operates the paid API and skill package.
The registry entry does not provide a source repository or homepage, which makes independent verification harder for a paid external service.
Source: unknown Homepage: none
Verify the NEXUS domain and service documentation independently before configuring payment credentials.