NEXUS Multi Model
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a clearly documented external AI router, but it can trigger paid per-request calls without documented per-use approval or budget limits.
Install only if you trust NEXUS, are comfortable sending prompts to its hosted AI service, and can control spending. Use sandbox testing first, protect NEXUS_PAYMENT_PROOF, and require explicit approval or a strict budget before allowing paid calls.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend funds on external AI requests if payment tooling or credentials are available, potentially without the user noticing each individual charge.
The runtime instructions include creating a payment for each service request. Combined with README.md stating the skill is automatically invoked for matching tasks, the artifacts do not show a clear per-use approval or budget control before spending.
Price: $0.15/request ... Send payment to the `payTo` address for `maxAmountRequired` ... Retry with `X-PAYMENT`
Use only with explicit user approval for paid calls, set a spending limit, and prefer the sandbox mode until you are comfortable with the payment flow.
Anyone or any agent with access to the payment proof may be able to use paid NEXUS service access tied to that proof.
The skill requires a payment proof or payment credential to authorize calls. This is expected for a paid API, but it is still value-bearing authorization material.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... `Authorization: Payment <credential>` ... `X-Payment-Proof: <masumi_payment_id>`
Store the payment proof securely, scope it to the minimum needed, rotate it if exposed, and avoid sharing it with unrelated skills.
Prompts may contain private or sensitive information and will leave the local agent environment for processing by NEXUS.
The skill clearly discloses that user prompts are sent to an external provider and processed by server-side AI models.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Do not send secrets, confidential documents, or regulated data unless you trust the provider and its retention/security practices.
Users have less independent provenance information to verify who operates the paid service and whether the packaged skill matches the registry entry.
The registry metadata lacks source/homepage provenance, and the supplied SKILL.md declares version 2.0.0, creating a minor reviewability/version-coherence gap for a paid external service.
Source: unknown; Homepage: none; Version: 1.1.0
Verify the provider domain and documentation before paying, and prefer skills with consistent version metadata and clear source/homepage information.