NEXUS Llm Gateway
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed paid LLM gateway, but it may be invoked automatically and lacks clear per-request approval or spending limits for crypto/stablecoin payments.
Use this skill only if you intend to send prompts to ai-service-hub-15.emergent.host and potentially pay per request. Start with the sandbox_test mode, require confirmation before real payments, set wallet/payment limits, and avoid sending secrets or confidential data unless you trust the provider’s privacy terms.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make paid LLM gateway requests during normal use, potentially spending crypto/stablecoin funds unexpectedly if payment credentials are configured.
A paid API call may be triggered automatically for matching tasks. The provided artifacts disclose pricing but do not require per-request user approval, a spending limit, or a sandbox-only default.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... Pricing ... **$0.10** per request
Require explicit user confirmation before non-sandbox payments, set wallet/payment spending limits, and document a clear maximum cost per task or session.
Anyone or any agent workflow with access to the configured payment proof may be able to use the paid service under that payment context.
The skill uses payment proofs or payment credentials to access the service. This is expected for the stated paid gateway, but it is still delegated financial/account authority.
requires: env: [NEXUS_PAYMENT_PROOF] ... Headers: ... `X-PAYMENT: <base64url JSON>` ... `Authorization: Payment <credential>` ... `X-Payment-Proof: <masumi_payment_id>`
Use sandbox credentials for testing, keep payment proofs out of shared logs/prompts, and only configure production payment credentials where paid use is intended.
Sensitive or confidential prompt content could be exposed to the external gateway and its downstream model providers.
Prompts, messages, and task inputs are sent to an external gateway and processed server-side. This is purpose-aligned and disclosed, but users should recognize the data leaves their local environment.
All data is sent to `https://ai-service-hub-15.emergent.host` over HTTPS/TLS. ... Data Sent: Input parameters as JSON body ... The AI processes your input server-side
Avoid sending secrets or confidential data unless the provider’s retention, privacy, and compliance terms meet your requirements.
It is harder to independently verify the operator, implementation, or privacy behavior of the remote gateway before use.
The local package is instruction-only, but the actual behavior depends on a remote paid service whose source/provenance is not provided in the registry metadata.
Source: unknown; Homepage: none
Install only if you trust the NEXUS service endpoint, and prefer packages with clear source, homepage, and service terms for paid integrations.