NEXUS Text To Sql
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This paid Text-to-SQL skill is mostly transparent, but it may trigger cryptocurrency payment flows without clearly requiring user approval or a spending limit.
Install only if you are comfortable sending Text-to-SQL prompts to NEXUS and paying for requests. Prefer sandbox_test first, require explicit approval before any real payment, set a spending cap, and avoid including confidential database schema or business data unless you trust the provider.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend money for requests if connected to usable payment credentials or payment automation.
The skill directs the agent into a paid cryptocurrency payment flow. The artifacts disclose the price, but they do not clearly require explicit user approval, a spending limit, or a per-use confirmation before making a chargeable request.
Price: $0.20/request ... Send payment to the `payTo` address for `maxAmountRequired` ... Retry with `X-PAYMENT`
Use this only with explicit payment controls, such as sandbox mode, per-request confirmation, and a small spending cap.
Anyone or anything with access to the payment proof may be able to submit paid or authorized requests to the NEXUS service.
The skill requires a payment proof or payment credential to access the provider API. This is expected for the paid service, but it is still sensitive financial authorization material.
requires:\n env: [NEXUS_PAYMENT_PROOF] ... `X-Payment-Proof: <masumi_payment_id>`
Treat NEXUS_PAYMENT_PROOF as sensitive, scope it narrowly, rotate it if exposed, and avoid sharing wallet secrets or reusable payment credentials.
Private schema names, table structures, or business query details included in prompts will leave the local environment.
The skill clearly discloses that user input is sent to an external provider for server-side model processing. This is purpose-aligned, but Text-to-SQL prompts may include database schema or business details.
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.
Do not send confidential database information unless you trust the NEXUS provider and its retention/security claims.
It may be harder to independently verify who operates the service and whether the published skill matches upstream documentation.
The registry does not provide a verified source repository or homepage. There is no executable code here, so this is a provenance note rather than a direct execution risk.
Source: unknown; Homepage: none
Verify the NEXUS service URL and provider trust before adding credentials or paying for requests.