NEXUS Grammar Fix
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This grammar-fixing skill is transparent about using an external paid API, but it gives the agent payment-making instructions without clear per-use confirmation or budget limits.
Review this skill carefully before installing. If you use it, prefer the free sandbox or a limited prepaid payment proof, require confirmation before every paid request, and avoid sending sensitive text unless you trust the NEXUS service.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could incur charges or initiate payment flows while using what appears to be a simple writing-improvement tool.
The skill instructs the agent to make paid blockchain/payment actions for a grammar-fix request, but the artifacts do not define a user-confirmation step, budget cap, or other guardrail before spending.
Price: $0.02/request ... Send payment to the `payTo` address for `maxAmountRequired` ... Create payment: Masumi escrow (Cardano) or direct Stellar transfer.
Use only with explicit per-request approval, a sandbox payment proof, or a tightly limited prepaid credential. Add clear budget and confirmation requirements before any paid request.
A payment proof or payment credential may authorize use of the paid service and should be treated carefully.
The skill requires a payment proof or payment credential and sends it in request headers to the NEXUS API. This is expected for a paid service, but it is still sensitive delegated authority.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... `Authorization: Payment <credential>` ... `X-Payment-Proof: <masumi_payment_id>`
Use a limited-scope or sandbox credential when possible, avoid sharing reusable payment proofs broadly, and verify the endpoint before sending credentials.
Text submitted for grammar correction may contain private or sensitive information and will leave the local agent environment.
The skill clearly discloses that user-provided text is sent to an external AI service. This is purpose-aligned for grammar fixing, but users should understand the data boundary.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Do not submit confidential text unless you trust the provider and its retention claims; redact sensitive details when possible.