NEXUS Teammate
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is transparent about using a paid external AI service, but automatic invocation plus per-request payments lacks a clear approval or spending-limit safeguard.
Use this skill only if you trust NEXUS with both your input data and payment flow. Prefer sandbox_test first, avoid sending secrets, and require explicit approval or limits before allowing real paid requests.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If payment credentials are configured, routine agent use could create paid requests more often than the user expects.
The artifact combines automatic invocation with a paid per-request API, but does not state that the user must approve each paid call or set a spending limit.
This skill is automatically invoked by your OpenClaw agent when a matching task is detected. ... $0.60 per request
Only enable this skill with sandbox credentials or a payment method you are comfortable using, and require explicit confirmation or spending limits for paid calls.
A payment proof may authorize access to a paid service or reveal payment-related information to the provider.
The skill requires a payment proof credential and sends it to the NEXUS endpoint. This is expected for the paid service, but it is still payment-related authority.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... X-Payment-Proof: <masumi_payment_id>
Use the least-privileged or sandbox payment proof when possible, and avoid sharing reusable payment credentials.
Prompts, code, logs, or datasets you send through the skill leave your local agent and are processed by the NEXUS service and its model providers.
The skill clearly sends user input to an external AI service for server-side processing. This is purpose-aligned but creates a third-party data-sharing boundary.
All data is sent to `https://ai-service-hub-15.emergent.host` over HTTPS/TLS. ... uses LLM models ... to process requests
Do not send secrets, private data, or regulated information unless you trust the provider and its retention and processing practices.
Users have less independent context for who operates the service or how the backend behaves.
The registry metadata does not identify a source repository or homepage, so users have limited provenance information beyond the included instructions and hosted API links.
Source: unknown; Homepage: none
Review the provider documentation and use sandbox mode first before attaching real payment credentials.