NEXUS Doc Writer
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed remote documentation service, but it can trigger paid crypto/payment-backed API requests automatically without clear per-use approval or spending limits.
Install only if you trust NEXUS with your code/spec text and payment proof. Start with sandbox_test where possible, and require explicit approval or a budget cap before any paid request.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make repeated paid documentation requests when it decides a task matches, potentially accumulating charges.
The artifact links automatic invocation with a paid request model, but does not show a required user approval step, spending limit, or retry limit before paid calls.
"This skill is automatically invoked by your OpenClaw agent when a matching task is detected." ... "$0.25 per request"
Use the sandbox mode first, require explicit user approval before paid requests, and set a budget or disable autonomous invocation if supported.
Anyone or any agent with access to the payment proof may be able to use the paid service or prove payment on your behalf.
The skill depends on a payment proof credential and purchase-related capability. This is expected for a paid API, but it is still sensitive delegated authority.
Required env vars: NEXUS_PAYMENT_PROOF; Primary credential: NEXUS_PAYMENT_PROOF; Capability signals: crypto, can-make-purchases
Store the payment proof securely, prefer limited-use or sandbox credentials, and rotate or revoke it if exposed.
Your code, specifications, or documentation prompts may leave your local environment and be processed by the provider.
The skill clearly discloses that user input is sent to an external AI service. This is purpose-aligned, but code or specs can contain proprietary or sensitive data.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Do not send confidential code or specifications unless you trust the provider and its retention/privacy terms.
You have less registry-level assurance about who operates the service or where to verify its terms.
The package is instruction-only and its behavior is mostly disclosed, but sparse registry provenance makes it harder to verify the provider before enabling a paid remote service.
Source: unknown; Homepage: none
Verify the NEXUS provider and payment terms independently before installing or enabling paid requests.