NEXUS Mcp Bridge
PassAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed network-only paid bridge to a hosted NEXUS MCP/LLM service, with no local code or shell/file access shown, but it sends your input and payment proof to an external provider.
Before installing, confirm you trust the NEXUS endpoint, use sandbox mode first if possible, protect the NEXUS_PAYMENT_PROOF value, and set approval or budget controls so the agent does not make paid requests unexpectedly.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If payment credentials are configured, matching tasks could consume a paid service.
The skill describes a paid per-request workflow. This is central to the service and disclosed, but payment-capable agent calls should be controlled by the user.
Price: $0.25/request ... Send payment to the `payTo` address for `maxAmountRequired`
Use the sandbox while testing and require user confirmation or a budget limit before paid requests.
The payment proof may authorize access to the paid service and should not be exposed casually.
The skill requires a payment proof environment variable and sends it as an authorization/payment header to the provider.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... `X-Payment-Proof: <masumi_payment_id>`
Use the least-privileged or sandbox proof available, avoid sharing it in prompts or logs, and rotate it if exposed.
Any sensitive content included in a request leaves the local agent environment and is handled by the NEXUS service.
The artifacts disclose that user input is sent to an external hosted AI/MCP service for processing.
By using this skill, your input data is sent to NEXUS ... uses LLM models ... server-side
Only send data you are comfortable sharing with NEXUS, and review the provider’s privacy and service terms for sensitive workloads.
Users must rely more heavily on the hosted provider’s disclosed endpoint and documentation.
The skill has no local executable package to inspect, and the registry does not provide a source repository or homepage for independent provenance review.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Verify the NEXUS service identity and terms before trusting it with payments or sensitive queries.