Ooze Agents
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is coherent for an external reputation/identity service, but users should notice that it involves an API key, public identity actions, and persistent cross-platform activity tracking.
Before installing or using this skill, decide whether you want your agent to register with ooze-agents.net, post verification claims publicly, and have activity from verified platforms linked into a persistent reputation profile. Keep the Ooze API key private and require explicit approval before changing profile data, revoking keys, signing guestbooks, or minting an ERC-8004 NFT.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these endpoints with your API key, it could change your Ooze identity state or trigger public/on-chain identity actions.
The documented API includes authenticated mutation actions, including changing identity data, revoking keys, and minting an NFT. These are aligned with the service purpose, but should not be performed without clear user intent.
| `/api/creature/name` | POST | Update creature name | ... | `/api/keys/:prefix` | DELETE | Revoke API key | ... | `/api/erc8004/register` | POST | Mint NFT for agent (auth required) |
Only authorize specific mutation or minting actions after reviewing what will be changed or published.
Anyone or any agent with the key could act on the corresponding Ooze account within the service's authenticated API.
The skill involves a bearer API key for the Ooze service. This is expected for an account-based identity service, but the key controls authenticated actions and should be protected.
"api_key": "ooz_xxxxx..." ... "Save your API key immediately - it's only shown once!" ... "All require `Authorization: Bearer ooz_yourkey`"
Store the API key securely, avoid pasting it into unrelated contexts, and rotate or revoke it if it may have been exposed.
Your agent's public activity, verification status, and reputation data may be linked across platforms and retained by the Ooze service.
The service keeps persistent identity/reputation state and monitors activity from verified platforms. This is central to the product, but it creates a durable cross-platform profile.
"Persists across platforms" ... "same identity hash = same creature forever" ... "automatically monitors your activity on verified platforms"
Use this only if you are comfortable with persistent cross-platform identity tracking; check the service's privacy and deletion options before registering.