NEXUS Sql Builder
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a disclosed remote SQL-generation service, but it can involve paid requests and automatic invocation without clear approval or budget controls.
Install only if you trust NEXUS and want a paid remote SQL-generation service. Prefer sandbox testing first, require confirmation before paid calls, set spending limits if your platform supports them, and do not send confidential schema or business data unless the provider’s privacy terms are acceptable.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could trigger paid SQL-builder calls during matching tasks, potentially spending money unexpectedly if payment credentials are configured.
Automatic invocation combined with per-request pricing can cause paid API calls without an explicit approval, rate limit, or budget control stated in the artifacts.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... - **$0.15** per request
Use sandbox mode unless you intentionally want paid calls, and require explicit confirmation or a budget limit before any payment-backed request.
Anyone or any agent with access to the configured payment proof may be able to authenticate paid requests to the NEXUS service.
The skill requires payment proof or payment credentials for the service. This is expected for the paid API, but it is still sensitive account/payment authority.
requires: env: [NEXUS_PAYMENT_PROOF] ... `Authorization: Payment <credential>` ... `X-Payment-Proof: <masumi_payment_id>`
Store payment proofs securely, use narrowly scoped/test credentials where possible, and rotate or remove them when not needed.
SQL requirements, schema details, or business context entered into the skill will leave the local environment.
The skill clearly sends the user's prompt/query requirements to an external provider and server-side LLMs; this is purpose-aligned but creates a third-party data boundary.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Avoid submitting secrets or sensitive database details unless you trust the NEXUS provider and its data-handling claims.
Users have less registry-level assurance about who operates the paid service and where to verify documentation.
The registry metadata provides limited provenance for a paid remote-service skill, making independent verification harder.
Source: unknown; Homepage: none
Verify the NEXUS service identity and payment terms through trusted channels before configuring payment credentials.