Back to skill
Skillv1.1.0
ClawScan security
NEXUS Doc Writer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 5:10 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it is an instruction-only paid API client that legitimately asks for a payment proof credential and instructs network calls to a single external service; there are no unrelated permissions, installs, or unexpected credential requests, but the provider and endpoint are unknown so exercise caution before giving live payment credentials.
- Guidance
- This skill is essentially a paid client that forwards your inputs to https://ai-service-hub-15.emergent.host and returns the result. Before installing: (1) verify you trust the provider and the emergent.host domain (there's no homepage or owner info in the registry), (2) do not set a live payment credential as NEXUS_PAYMENT_PROOF unless you understand billing and trust the service — use sandbox_test for trials, (3) expect your inputs to be sent to a third party (they state data is processed server-side), and (4) review pricing and terms on the provider site. If you need stronger assurance, ask the publisher for a verifiable homepage, a published service contract/TOU, or a signed skill manifest before supplying any secrets.
Review Dimensions
- Purpose & Capability
- okThe name/description (generate documentation) match the SKILL.md: it delegates work to a hosted NEXUS service. The requested credential (NEXUS_PAYMENT_PROOF) is consistent with a paid hosted API.
- Instruction Scope
- okInstructions are explicit and limited: POST JSON to a single external API endpoint and include payment headers. The skill does not instruct filesystem or shell access, nor does it request unrelated system files or other credentials.
- Install Mechanism
- okNo install spec or code is included; this is instruction-only, so nothing is written to disk and no external packages are fetched. Lowest install risk.
- Credentials
- noteThe single required env var NEXUS_PAYMENT_PROOF aligns with the documented payment flows (x402 / MPP / legacy header). This credential can be used to make paid requests on your behalf, so provide only sandbox_test for testing or avoid installing if you don't want to expose a live payment credential.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated persistence. It does require network access to an external host (documented), which is appropriate for a hosted API client.