Back to skill
Skillv1.1.0
ClawScan security
NEXUS Grammar Fix · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 9, 2026, 5:11 PM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is internally coherent: it simply forwards text to a paid NEXUS grammar-fix API and requires a payment-proof credential; nothing in the files suggests hidden behavior, but you will be sending a credential to an external service so exercise normal caution.
- Guidance
- This skill is coherent with its stated purpose: it forwards text to a paid NEXUS grammar service and expects a payment-proof header. Before installing, verify you trust the endpoint (https://ai-service-hub-15.emergent.host) and the service terms. Use sandbox_test for trial runs instead of placing a real payment credential in NEXUS_PAYMENT_PROOF. If you must supply a real credential, use a payment-specific, revocable token (not a long-lived wallet private key) and be prepared to rotate/revoke it. If you need higher assurance, ask the publisher for formal documentation of the payment protocol, and validate the endpoints out-of-band. Confidence is medium because this is instruction-only (no code to audit) and the external host is not a widely-known vendor; access to the real service documentation or publisher identity would raise confidence.
Review Dimensions
- Purpose & Capability
- okName/description (grammar/spelling fixer) align with the SKILL.md and README: the skill calls an external NEXUS grammar-fix API and charges per request. Requiring a payment proof credential (NEXUS_PAYMENT_PROOF) is consistent with a paid external service.
- Instruction Scope
- noteInstructions are narrowly scoped to calling the external API (https://ai-service-hub-15.emergent.host) with payment headers. They do not request filesystem or shell access. However the runtime instructions explicitly tell the agent to include a payment proof header (which the skill declares as an env var) — that means a secret-like value will be transmitted to the external host as part of normal operation.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code to download, so nothing is written to disk by an installer. Lower risk from install mechanism.
- Credentials
- noteOnly one required env var (NEXUS_PAYMENT_PROOF) is declared and is used to authorize payment. That is proportionate to a paid external API. It is nevertheless sensitive: the skill will send that value to the external service, so provide a least-privileged/payment-specific credential (or use sandbox_test for trials).
- Persistence & Privilege
- okThe skill does not request persistent/always-on privileges, does not modify other skills, and does not ask to write agent config. Default autonomous invocation is enabled (normal), but always:false limits forced inclusion.