Skillv1.1.0

ClawScan security

NEXUS Email Compose · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 9, 2026, 5:11 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (a paid email-composer service) but it asks for a required environment credential and contains small inconsistencies that are disproportionate to its function and warrant caution.
Guidance: This skill appears to be a thin wrapper for a paid remote service and is instruction-only (no code installed). The main red flag is that it requires a global NEXUS_PAYMENT_PROOF environment variable even though the docs describe sandbox and on-the-fly payment flows—storing a payment proof as a permanent env var increases the chance of leaking a sensitive credential. Before installing: (1) verify the service operator (ai-service-hub-15.emergent.host) and review their external documentation; (2) do not set a permanent NEXUS_PAYMENT_PROOF in your global environment—prefer passing sandbox_test or per-request credentials; (3) test with the sandbox option first and monitor network traffic; (4) if you must provide payment credentials, scope them tightly (use short-lived credentials or agent-scoped config) and avoid placing secrets in global shell profiles; (5) consider whether you trust an unknown third party to see the content of messages you send to the service. If the publisher cannot explain why a required env var is necessary for all installs, treat the skill with caution.

Review Dimensions

Purpose & Capability: noteThe skill's purpose (drafting emails) aligns with calling a remote paid API. However, declaring NEXUS_PAYMENT_PROOF as a required environment variable (primary credential) is heavier than expected: the SKILL.md documents multiple payment flows (x402, MPP, and a sandbox test) that do not require a permanent env var, so making one global env var mandatory is disproportionate. Metadata/tags also include unrelated tags (e.g., 'health-monitoring') which is odd but low-severity.
Instruction Scope: noteSKILL.md is explicit about network calls to https://ai-service-hub-15.emergent.host and about how to include payment headers. It instructs the agent to read NEXUS_PAYMENT_PROOF (example shown in curl), submit payment proofs, and optionally POST signed Stellar XDRs to a sponsor endpoint. These actions are within the domain of a paid API, but reading a global env var for payment proof and POSTing signed XDRs can expose sensitive payment credentials/transactions if misused — the instructions do not restrict how the credential is obtained or scoped.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This minimizes code-install risk (nothing written to disk by the skill package itself).
Credentials: concernRequiring a single primary env var named NEXUS_PAYMENT_PROOF (and marking it required) is questionable: the documented flows support ephemeral credentials, sandbox_test, or headers generated at call-time. Making a long-lived payment proof a mandatory installation-time env var increases risk of accidental exfiltration or misuse. The env var likely contains sensitive payment/credential information but the README/SKILL.md do not justify why it must be global and required.
Persistence & Privilege: okThe skill does not request persistent 'always' inclusion and has normal network permission. No claims of modifying other skills or system settings. Autonomous invocation is allowed (default) but not combined with other high-risk requests.