NEXUS Image Analysis
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed remote paid image-analysis service, but it may let the agent make paid requests automatically without clear per-use approval or budget limits.
Review this skill before installing if you plan to use real payments. It has no local code, shell access, or filesystem access, but it sends your input to a remote NEXUS service and may incur $0.35/request. Start with `sandbox_test`, avoid sensitive images or prompts, and require manual approval or a budget limit before enabling paid autonomous use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured with a real payment method or proof, the agent could incur charges when it decides a task matches this skill.
The artifacts combine autonomous invocation with a paid per-request service, but do not state that the user must approve each paid request or set a budget limit.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... $0.35 per request
Use the sandbox proof for testing, and require explicit user confirmation or a budget cap before any paid request is made.
Anyone or anything that can use this environment variable may be able to submit paid or authenticated requests to the service.
The skill requires a payment proof credential and sends it to the NEXUS service. This is expected for a paid API, but it is still sensitive account/payment authority.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... `X-Payment-Proof: <masumi_payment_id>`
Use the least-privileged payment proof available, prefer `sandbox_test` during evaluation, and avoid exposing the variable to unrelated skills or tools.
Images, image URLs, or related prompts may be processed by NEXUS and its server-side AI models.
The skill discloses external provider and A2A-style interaction, meaning user-supplied content leaves the local agent boundary.
protocols:\n - masumi\n - mpp\n - a2a ... By using this skill, your input data is sent to NEXUS ... for AI processing.
Do not send confidential or regulated images unless you trust NEXUS and have reviewed its service terms and data-handling practices.
It may be harder to confirm that this package version is the intended release from the service provider.
The registry metadata has limited provenance, and the supplied SKILL.md declares version 2.0.0, which does not match the registry version.
Source: unknown; Homepage: none; Version: 1.1.0
Verify the package and provider directly before using real payment credentials.