ClawHub
Back to skill
v1.1.0

NEXUS Translate

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:03 AM.

Analysis

This is a coherent paid translation skill, but it can direct an agent into crypto/payment flows without clearly requiring per-payment user approval or spending limits.

GuidanceInstall only if you trust NEXUS as a paid translation provider. Prefer sandbox_test first, require manual approval for each paid request or signed transaction, and avoid giving the agent unrestricted wallet or payment authority.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Select a `paymentRequirement` ... Send payment to the `payTo` address for `maxAmountRequired` ... POST your signed XDR to `https://ai-service-hub-15.emergent.host/api/mpp/stellar/sponsor`

The skill tells the agent how to create/send blockchain payments and submit signed transaction data based on the service's payment challenge, but it does not pair that with explicit per-transaction user approval or spending limits.

User impactIf the agent has access to payment or wallet tools, translation requests could spend real funds or submit signed payment transactions.
RecommendationUse sandbox mode where possible, require explicit confirmation before every paid request or signed transaction, and set wallet/API spending limits before installing.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
requires:
  env: [NEXUS_PAYMENT_PROOF] ... `X-Payment-Proof: <masumi_payment_id>`

The skill requires a payment proof credential and sends it to the remote service; this is expected for the paid translation workflow but should be treated as sensitive authorization material.

User impactAnyone or anything that can use this credential may be able to consume paid translation service access.
RecommendationUse a scoped, prepaid, or sandbox payment proof when possible and avoid exposing broader wallet credentials to the agent.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing.

The skill clearly discloses that translation input is sent to an external AI service; this is purpose-aligned, but sensitive text leaves the local environment.

User impactConfidential text submitted for translation will be processed by the external NEXUS service.
RecommendationOnly send text you are comfortable sharing with the provider, and review the provider's data-retention and privacy terms before using it for sensitive content.