OlaXBT Nexus Data
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent crypto data API wrapper, but it requires a wallet-linked API token, so users should protect the token and keep API endpoints trusted.
Before installing, verify the package source, set NEXUS_JWT only in a trusted environment, leave API URLs at their defaults unless you trust the override, and avoid sharing logs or screenshots that may contain token data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
API calls made with this token may access the user's Nexus account data or consume account/API credits.
The skill requires a wallet-linked bearer token for API access. This is expected for the stated service, but it gives the skill authenticated account/API authority.
| `NEXUS_JWT` | Bearer token for the Nexus data API. Obtain it via the auth flow
Use a revocable token, scope it if the service supports scoping, keep it out of shared logs, and rotate or revoke it if exposed.
A shared console log or screenshot could reveal part of a sensitive authentication token.
The example prints the beginning of the JWT to stdout. This is user-directed example code rather than hidden exfiltration, but token fragments can still appear in terminal logs or screenshots.
print(f" JWT Token: {jwt_token[:50]}...\n")Avoid printing token material; redact this line before using the example in shared terminals, CI logs, demos, or screenshots.
If those environment variables are set incorrectly or maliciously, authenticated requests could go to an unintended endpoint.
The client can be pointed to alternate API base URLs via constructor arguments or environment variables. This is disclosed configuration behavior, but a bad override could redirect JWT-authenticated requests.
self.auth_url = auth_url or os.getenv("NEXUS_AUTH_URL", "https://api.olaxbt.xyz/api")
self.data_url = data_url or os.getenv("NEXUS_DATA_URL", "https://api-data.olaxbt.xyz/api/v1")Leave the default OlaXBT endpoints unless you intentionally need an override, and only use trusted HTTPS URLs.
A future install may resolve to different dependency versions than the reviewed package used.
The package uses dependency ranges rather than pinned versions. This is common for Python libraries, but installed dependency versions can vary over time.
dependencies = [
"web3>=6.0.0",
"requests>=2.28.0",
"pydantic>=2.0.0",
"cryptography>=42.0.0",
"python-dotenv>=1.0.0",
]Install from the official source, prefer a lockfile or pinned versions in production, and review package provenance before use.
Users might overestimate how protected the JWT is during local use.
The changelog makes strong security claims. The provided main client configuration also shows JWT encryption disabled, so users should treat these claims as marketing rather than a reason to handle the token casually.
- JWT token encryption in memory - Military-grade encryption for sensitive data
Treat NEXUS_JWT like any other bearer secret: store it securely, avoid exposing it in logs, and rotate it if compromised.