ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NEXUS Doc Writer

v1.0.0

Generate technical documentation from code or specs

0· 179·0 current·0 all-time
by@cyberforexblockchain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the runtime instructions: the skill simply posts user input to an external Documentation Writer API. Requesting a payment-proof credential is plausible for a paid API.
Instruction Scope
SKILL.md explicitly directs the agent to POST input to a single external endpoint and to include the X-Payment-Proof header. It does not instruct reading other files, shell access, or arbitrary system data. However, it sends all user input to a third party (https://ai-service-hub-15.emergent.host), so privacy exposure is real and the instructions place broad discretion on what input to forward.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing is written to disk or executed locally by the skill itself, which lowers supply-chain risk.
Credentials
The skill requires a single env var, NEXUS_PAYMENT_PROOF, which is used directly as the X-Payment-Proof header. That is proportionate to a paid API, but this env var is sensitive (payment credential) and will be transmitted to the external service. No justification is provided about token scope or revocation, so users should ensure the token is limited and replaceable.
Persistence & Privilege
The skill is not always-on, requires no filesystem or shell permissions, and is user-invocable only. It does not request system-wide privileges or modify other skills.
What to consider before installing
This skill is basically a thin wrapper that sends whatever you provide to an external paid service. That makes the single requested env var (NEXUS_PAYMENT_PROOF) expected, but also sensitive — it will be placed in an HTTP header and sent to ai-service-hub-15.emergent.host. Before installing: verify the service/operator (there's no homepage or clear publisher info in the package), prefer using the documented sandbox token (sandbox_test) for testing, avoid sending secrets or private code until you trust the endpoint, ensure the payment-proof token is limited and revocable, and review the service's privacy/terms on the provider site. If you need stronger assurance, ask the publisher for provenance (company/website, published docs, security/privacy policy) or use an alternative with verifiable trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770x6tp2mx2rk4s9j5p5wsh182vn2k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvNEXUS_PAYMENT_PROOF
Primary envNEXUS_PAYMENT_PROOF

Comments