NEXUS Summarize
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real remote summarization skill, but it can send documents to a paid external service and may trigger paid requests automatically without clear per-use approval or spending limits.
Install only if you trust NEXUS to process your documents and handle payment proofs. Use sandbox_test first, require confirmation before any paid request, and set a clear budget or disable automatic paid invocation if your OpenClaw setup supports it.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could make paid summarization requests during normal task handling, potentially causing unexpected charges.
The skill can be invoked automatically for matching tasks while the documented service is paid per request. The artifacts do not describe an explicit per-call approval, spending limit, or retry cap.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... **$0.15** per request
Require explicit user confirmation before any paid request, set a spending limit, and prefer the documented sandbox mode for testing.
Anyone with access to the payment proof may be able to use or verify paid access depending on the provider's implementation.
The skill requires a payment proof credential and sends it to the NEXUS API. This is purpose-aligned for a paid API, but it is still a credential-like value.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... -H "X-Payment-Proof: $NEXUS_PAYMENT_PROOF"
Use a scoped or test payment proof where possible, keep it secret, and rotate it if exposed.
Confidential documents or private text submitted for summarization will leave the local environment and be processed by NEXUS.
The skill clearly discloses that user-provided documents are sent to an external hosted AI service for processing.
All data is sent to `https://ai-service-hub-15.emergent.host` over HTTPS/TLS. ... The AI processes your input server-side
Only use the skill for content you are comfortable sending to the provider, and review the provider's privacy and retention terms before submitting sensitive documents.
Users have less assurance that the reviewed artifact version matches the registry package and intended provider release.
The registry has limited provenance information, and the provided SKILL.md frontmatter lists version 2.0.0, which does not match the registry version 1.1.0.
Source: unknown; Homepage: none; Version: 1.1.0
Verify the provider identity and intended version before installing, especially because the skill uses paid external services.