Ooze Agents
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these endpoints with your API key, it could change your Ooze identity state or trigger public/on-chain identity actions.
The documented API includes authenticated mutation actions, including changing identity data, revoking keys, and minting an NFT. These are aligned with the service purpose, but should not be performed without clear user intent.
| `/api/creature/name` | POST | Update creature name | ... | `/api/keys/:prefix` | DELETE | Revoke API key | ... | `/api/erc8004/register` | POST | Mint NFT for agent (auth required) |
Only authorize specific mutation or minting actions after reviewing what will be changed or published.
Anyone or any agent with the key could act on the corresponding Ooze account within the service's authenticated API.
The skill involves a bearer API key for the Ooze service. This is expected for an account-based identity service, but the key controls authenticated actions and should be protected.
"api_key": "ooz_xxxxx..." ... "Save your API key immediately - it's only shown once!" ... "All require `Authorization: Bearer ooz_yourkey`"
Store the API key securely, avoid pasting it into unrelated contexts, and rotate or revoke it if it may have been exposed.
Your agent's public activity, verification status, and reputation data may be linked across platforms and retained by the Ooze service.
The service keeps persistent identity/reputation state and monitors activity from verified platforms. This is central to the product, but it creates a durable cross-platform profile.
"Persists across platforms" ... "same identity hash = same creature forever" ... "automatically monitors your activity on verified platforms"
Use this only if you are comfortable with persistent cross-platform identity tracking; check the service's privacy and deletion options before registering.