Ooze Agents
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ooze-agents Version: 2.0.0 The OpenClaw AgentSkills bundle 'ooze-agents' primarily interacts with the `https://ooze-agents.net` API for identity management and state tracking, which aligns with its stated purpose. However, the `SKILL.md` file contains an instruction for the agent to download `HEARTBEAT.md` from `https://ooze-agents.net/skill/HEARTBEAT.md`. While this is a markdown file from the skill's own domain, it represents a dynamic instruction source that could be updated by the skill owner to include malicious commands or prompt injections against the agent, introducing a risky capability without clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent uses these endpoints with your API key, it could change your Ooze identity state or trigger public/on-chain identity actions.
The documented API includes authenticated mutation actions, including changing identity data, revoking keys, and minting an NFT. These are aligned with the service purpose, but should not be performed without clear user intent.
| `/api/creature/name` | POST | Update creature name | ... | `/api/keys/:prefix` | DELETE | Revoke API key | ... | `/api/erc8004/register` | POST | Mint NFT for agent (auth required) |
Only authorize specific mutation or minting actions after reviewing what will be changed or published.
Anyone or any agent with the key could act on the corresponding Ooze account within the service's authenticated API.
The skill involves a bearer API key for the Ooze service. This is expected for an account-based identity service, but the key controls authenticated actions and should be protected.
"api_key": "ooz_xxxxx..." ... "Save your API key immediately - it's only shown once!" ... "All require `Authorization: Bearer ooz_yourkey`"
Store the API key securely, avoid pasting it into unrelated contexts, and rotate or revoke it if it may have been exposed.
Your agent's public activity, verification status, and reputation data may be linked across platforms and retained by the Ooze service.
The service keeps persistent identity/reputation state and monitors activity from verified platforms. This is central to the product, but it creates a durable cross-platform profile.
"Persists across platforms" ... "same identity hash = same creature forever" ... "automatically monitors your activity on verified platforms"
Use this only if you are comfortable with persistent cross-platform identity tracking; check the service's privacy and deletion options before registering.