ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NEXUS Orchestrator

v1.0.0

Chain multiple AI services into automated workflows - describe a goal and the orchestrator plans, executes, and summarizes

0· 191·0 current·0 all-time
by@cyberforexblockchain
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (orchestrating multi-step AI workflows) matches the runtime instructions: the SKILL.md tells the agent to POST the user's goal to an external orchestrator API. Required items (network access and a payment proof) are what you'd expect for a paid third-party orchestration service.
!
Instruction Scope
The instructions send the full user input to a third-party endpoint (https://ai-service-hub-15.emergent.host). That is coherent with purpose but constitutes direct exfiltration of whatever the user supplies (including potentially sensitive data such as health information, credentials, or PII). The SKILL.md asserts 'No data is stored permanently' — an unverifiable claim outside your control. The skill also instructs use of an env var directly in an auth header, which could leak a token if mishandled.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by the skill itself. This minimizes local attack surface and matches the description.
Credentials
It requests a single env var (NEXUS_PAYMENT_PROOF) as the primary credential, which is proportionate for a paid API. However, the sensitivity of that value is unclear (it may function as an auth token). Storing sensitive payment or wallet data in an env var can be risky if that value is actually a secret; the README suggests a 'sandbox_test' option for testing.
Persistence & Privilege
The skill does not request 'always: true' or elevated privileges; SKILL.md declares no filesystem or shell access and network:true (expected). It does not attempt to modify other skills or system-wide config.
What to consider before installing
This skill will send whatever you type to a third-party service (ai-service-hub-15.emergent.host) and requires you to supply a NEXUS_PAYMENT_PROOF value in your environment. Before installing: (1) Verify and research the service/host (domain reputation, privacy policy, terms). (2) Avoid sending sensitive personal or health data unless you trust the provider and have read their retention/privacy docs — the claim of 'no permanent storage' is not verifiable from the SKILL.md. (3) Treat NEXUS_PAYMENT_PROOF as an auth token: do not put private wallet seeds, passwords, or long-lived keys there; use the sandbox_test value for initial testing. (4) If you must use it for sensitive tasks, contact the provider for details on how payment-proofs are validated and what the header contains, and consider rotating or scoping the token. Note: the skill is instruction-only so there is no local code to inspect — the security posture depends entirely on trusting the remote API.

Like a lobster shell, security has layers — review code before you run it.

latestvk975grj3k24xjj401mqdz0dc6582v71a

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvNEXUS_PAYMENT_PROOF
Primary envNEXUS_PAYMENT_PROOF

Comments