ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NEXUS Code Review

v1.1.0

Security, performance, and style analysis for code

0· 310·0 current·0 all-time
by@cyberforexblockchain

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cyberforexblockchain/nexus-code-review.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "NEXUS Code Review" (cyberforexblockchain/nexus-code-review) from ClawHub.
Skill page: https://clawhub.ai/cyberforexblockchain/nexus-code-review
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: NEXUS_PAYMENT_PROOF
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install nexus-code-review

ClawHub CLI

Package manager switcher

npx clawhub@latest install nexus-code-review
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (code review) match the runtime instructions: the skill forwards code to an external NEXUS service for analysis. Requiring a payment proof credential is consistent with a paid API. However the package has no homepage, no source repo, and an opaque owner ID, which reduces trustworthiness despite the functional alignment.
Instruction Scope
SKILL.md instructs the agent to POST your input (code) to https://ai-service-hub-15.emergent.host and to include payment headers or proof. This stays inside the declared purpose (remote code review) but does transmit potentially sensitive code to a third party. It also instructs users to POST signed Stellar XDRs to a sponsor endpoint—this is payment-related and not part of code analysis, so users should understand what a signed XDR contains before sending it.
Install Mechanism
No install spec and no code files are present (instruction-only). That minimizes local attack surface because nothing is written or executed locally by the skill itself.
!
Credentials
The skill requires one environment variable, NEXUS_PAYMENT_PROOF, declared as the primary credential. Requesting a single payment proof is proportionate for a paid endpoint, but the var is sensitive (represents payment credentials/authorization). There is no independent verification of the provider; requiring you to persist this credential in your agent environment is a privacy/financial risk if the service is untrusted or compromised.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or access to other skills or system paths. It declares only network permission (reasonable for a remote API).
What to consider before installing
This skill will send whatever code you submit to a third-party service (https://ai-service-hub-15.emergent.host) and requires you to supply a sensitive payment credential (NEXUS_PAYMENT_PROOF). Before installing or enabling it: (1) Do not send sensitive production code, secrets, or credentials to the service unless you trust the provider. (2) Prefer using the documented sandbox mode (X-Payment-Proof: sandbox_test) for initial testing. (3) Avoid storing NEXUS_PAYMENT_PROOF permanently in system-wide env vars; use ephemeral/temporary credentials or an agent-scoped secret you can rotate. (4) Verify the service operator (there is no homepage or source repo in the package) — check TLS certs and independent documentation or reviews at the provider domain. (5) Be cautious about sending signed Stellar XDRs to the sponsor endpoint: do not expose private keys and understand whether the signed envelope could be replayed. (6) If you need to run code reviews on sensitive code, prefer an on‑premise tool or a skill from a known vendor. If you proceed, limit scope, rotate credentials after use, and monitor charges/transactions on the referenced chains.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Clawdis
EnvNEXUS_PAYMENT_PROOF
Primary envNEXUS_PAYMENT_PROOF
aivk97ahht5j0vp5kqc504649vma984h5mrcardanovk97ahht5j0vp5kqc504649vma984h5mrlatestvk97ahht5j0vp5kqc504649vma984h5mrstellarvk97ahht5j0vp5kqc504649vma984h5mrx402vk97ahht5j0vp5kqc504649vma984h5mr
310downloads
0stars
2versions
Updated 5h ago
v1.1.0
MIT-0
@cyberforexblockchain
aicardanolateststellarx402
Download

Code Review API

NEXUS Agent-as-a-Service on Cardano + Stellar | Price: $0.25/request | Accepts: ADA, DJED, iUSD, USDCx, USDM (Cardano) + USDC, XLM (Stellar)

When to use

Use when you need a security and quality review of code. Finds bugs, vulnerabilities, and suggests improvements.

Steps

Option A: x402 Standard (Recommended)

  1. Call the service endpoint without payment headers.
  2. Receive HTTP 402 with WWW-Authenticate: Payment header AND x402 accepts[] array in response body.
  3. Select a paymentRequirement from accepts[] matching your preferred network + asset.
  4. Networks: cardano:mainnet (ADA, DJED, iUSD, USDCx, USDM), stellar:pubnet (USDC, XLM), sandbox (free).
  5. Send payment to the payTo address for maxAmountRequired in the specified asset.
  6. Stellar fee sponsorship: POST your signed XDR to https://ai-service-hub-15.emergent.host/api/mpp/stellar/sponsor — NEXUS pays gas, you need 0 XLM.
  7. Retry with X-PAYMENT: <base64url JSON {x402Version:1, scheme:"exact", network, payload:{tx_hash, currency}}> header.
  8. Parse the JSON response and X-PAYMENT-RESPONSE header.

Option B: MPP Standard

  1. Call the service endpoint without payment headers.
  2. Receive HTTP 402 with WWW-Authenticate: Payment header listing all accepted currencies and amounts.
  3. Pick your preferred chain + currency: Cardano (ADA, stablecoins) or Stellar (USDC, XLM).
  4. Create payment: Masumi escrow (Cardano) or direct Stellar transfer.
  5. Stellar fee sponsorship: POST your signed XDR to https://ai-service-hub-15.emergent.host/api/mpp/stellar/sponsor — NEXUS pays gas, you need 0 XLM.
  6. Retry with Authorization: Payment <base64url-credential> header.
  7. Parse the JSON response and Payment-Receipt header.

Option C: Legacy Header

  1. Send a POST request to the NEXUS API endpoint with your input.
  2. Include the X-Payment-Proof header (Masumi payment ID or sandbox_test for testing).
  3. Parse the JSON response and return the result.

API Call

curl -X POST https://ai-service-hub-15.emergent.host/api/original-services/code-review \
  -H "Content-Type: application/json" \
  -H "X-Payment-Proof: $NEXUS_PAYMENT_PROOF" \
  -d '{"code": "def login(user, pwd): ..."}'

Endpoint: https://ai-service-hub-15.emergent.host/api/original-services/code-review Method: POST Headers:

  • Content-Type: application/json
  • X-PAYMENT: <base64url JSON> (x402 standard — recommended)
  • Authorization: Payment <credential> (MPP standard)
  • X-Payment-Proof: <masumi_payment_id> (legacy — use sandbox_test for free testing)

Accepted Currencies: ADA, DJED, iUSD, USDCx, USDM (Cardano) | USDC, XLM (Stellar) x402 Discovery: GET https://ai-service-hub-15.emergent.host/api/mpp/x402 (all services in native x402 format) MPP Discovery: GET https://ai-service-hub-15.emergent.host/api/mpp/discover Stablecoin Registry: GET https://ai-service-hub-15.emergent.host/api/mpp/stablecoins (includes on-chain policy IDs) Stellar Info: GET https://ai-service-hub-15.emergent.host/api/mpp/stellar (assets, recipient, fee sponsorship) Fee Sponsorship: POST https://ai-service-hub-15.emergent.host/api/mpp/stellar/sponsor (NEXUS pays Stellar gas — agents need 0 XLM)

External Endpoints

URLMethodData Sent
https://ai-service-hub-15.emergent.host/api/original-services/code-reviewPOSTInput parameters as JSON body

Security & Privacy

  • All data is sent to https://ai-service-hub-15.emergent.host over HTTPS/TLS.
  • No data is stored permanently; requests are processed and discarded.
  • Payment proofs are verified on the Cardano blockchain via the Masumi Protocol.
  • No filesystem access or shell execution required.

Model Invocation Note

This skill calls the NEXUS AI service API which uses LLM models (GPT-5.2, Claude Sonnet 4.5, GPT-4o) to process requests. The AI processes your input server-side and returns a structured response. You may opt out by not installing this skill.

Trust Statement

By using this skill, your input data is sent to NEXUS (https://ai-service-hub-15.emergent.host) for AI processing. Payments are non-custodial via the Masumi Protocol on Cardano. Only install if you trust NEXUS as a service provider. Visit https://ai-service-hub-15.emergent.host for full documentation.

Tags

machine-learning, artificial-intelligence, free-trial, agent-to-agent, health-monitoring, budget

Comments

Loading comments...