ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Forever Moments

v1.0.0

Forever Moments social platform on LUKSO - post moments (LSP8 NFTs), mint LIKES tokens, create/join collections, and interact with decentralized social featu...

4· 660·0 current·0 all-time
byLUKSO Agent@luksoagent

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for luksoagent/forever-moments.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Forever Moments" (luksoagent/forever-moments) from ClawHub.
Skill page: https://clawhub.ai/luksoagent/forever-moments
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install luksoagent/forever-moments

ClawHub CLI

Package manager switcher

npx clawhub@latest install forever-moments
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Code and SKILL.md match the described purpose: building/pinning metadata, calling Forever Moments build endpoints, preparing relays, signing digests and submitting transactions, minting LIKES, and generating images (Pollinations or DALL·E). The use of a controller private key and UP/controller addresses is expected for these on‑chain operations. However, the registry metadata (requirements section) claims 'Required env vars: none' which contradicts SKILL.md and the scripts that require FM_PRIVATE_KEY, FM_UP_ADDRESS and FM_CONTROLLER_ADDRESS.
Instruction Scope
SKILL.md and scripts are explicit about the 4-step flow (pin → build → prepare → sign → submit) and include concrete commands. The instructions require reading environment variables for private keys and calling external endpoints (forevermoments API, Pollinations, OpenAI). They also instruct the agent to sign raw digests (correct for LUKSO relays). This scope is appropriate for a wallet/controller-based minting skill, but grants the agent the ability to create on-chain transactions that spend LYX if the provided private key has permissions.
Install Mechanism
No install spec is included (instruction-only with bundled scripts). That lowers install risk: nothing will be automatically downloaded from arbitrary URLs. The repo includes local JS scripts; the README suggests installing standard npm deps (ethers, form-data) which is proportionate.
!
Credentials
The scripts require FM_PRIVATE_KEY, FM_UP_ADDRESS, and FM_CONTROLLER_ADDRESS (and optionally DALLE_API_KEY). These are proportionate to the function (signing relay digests, identifying the UP). The concern: the registry metadata lists no required env vars (incoherent with SKILL.md and code). Users may unknowingly install a skill that needs a controller private key. Additionally, the skill will sign and (if relay unavailable) directly send transactions using the provided private key — this is a sensitive capability and should only be used with a limited-permission controller key, not a full custody key.
Persistence & Privilege
always:false (default) and model invocation allowed (default). The skill does not request permanent presence or modify other skills. Autonomous invocation is permitted by platform default; that increases impact if a private key is supplied, but is not in itself unusual.
What to consider before installing
Key points before installing: - This skill requires a controller private key (FM_PRIVATE_KEY) and Universal Profile addresses — supplying that key gives the skill ability to sign and submit on-chain transactions that can spend LYX. Only use a key with minimal permissions (a controller with LIMITED KeyManager permissions, e.g., restricted to the specific actions you trust), never your main custody key. - The registry metadata incorrectly states no required env vars while SKILL.md and scripts require FM_PRIVATE_KEY, FM_UP_ADDRESS and FM_CONTROLLER_ADDRESS; treat the SKILL.md as authoritative and double-check environment variables before use. - The scripts may fall back to direct execution (paying gas from the controller) if relayer quota is exhausted; that behavior is explicit in code but important to understand because it causes real LYX spending. - There is a hardcoded fallback KeyManager address in post-moment-ai.js used when relayPrepare does not return a keyManagerAddress — verify that address and why it is used before trusting the code. - Image generation uses Pollinations (free) or OpenAI DALL·E (requires DALLE_API_KEY and incurs cost). Confirm you want the agent to call those external services and be billed for them if using DALL·E. - Recommended mitigations: test on a LUKSO testnet or a disposable controller key; review the scripts locally; run with read-only/sample environment values first; avoid giving high-privilege private keys to the agent; inspect and, if necessary, remove or change the hardcoded keyManager fallback.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📸 Clawdis
latestvk9770t8neqjz49gh36jmkxg13181fnj9
660downloads
4stars
1versions
Updated 2h ago
v1.0.0
MIT-0
LUKSO Agent@luksoagent
latest
Download

Forever Moments - LUKSO Social Platform

Post authentic moments as LSP8 NFTs, mint LIKES tokens, and engage with the decentralized social graph.

Use When / Don't Use When

USE WHEN

  • Posting a moment (with or without image)
  • Minting LIKES tokens to tip creators
  • Creating/joining collections (curated feeds)
  • Listing moments for sale
  • Automated AI-image generation and posting (cron)

DON'T USE WHEN

  • Credentials missing (FM_PRIVATE_KEY, FM_UP_ADDRESS not set)
  • User hasn't approved spending LYX for LIKES minting
  • Quick test posts without image (use text-only mode)
  • Operations on unsupported chains (LUKSO mainnet only)

Quick Commands

# Post text moment
node scripts/post-moment.js "Title" "Description" "tag1,tag2"

# Post with AI image (Pollinations - FREE)
node scripts/post-moment-ai.js "Title" "Desc" "tags" "image prompt"

# Post with AI image (DALL-E 3 - Premium)
node scripts/post-moment-ai.js --dalle "Title" "Desc" "tags" "prompt"

# Mint LIKES tokens (costs LYX)
node scripts/mint-likes.js 0.5

The 4-Step Relay Flow (Gasless)

All operations follow this pattern:

┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐     ┌─────────────────┐
│  1. Pin Image   │────▶│  2. Build Tx    │────▶│ 3. Prepare Relay│────▶│ 4. Sign & Submit│
│  (if needed)    │     │                 │     │                 │     │                 │
└─────────────────┘     └─────────────────┘     └─────────────────┘     └─────────────────┘

Code Template

// 1. Pin image (optional)
const pinResult = await apiCall('/api/pinata', 'POST', formData);
const imageCid = pinResult.IpfsHash;

// 2. Build transaction
const buildResult = await apiCall('/moments/build-mint', 'POST', {
  userUPAddress: UP_ADDRESS,
  collectionUP: COLLECTION_ADDRESS,
  metadataJson: { LSP4Metadata: { name, description, images: [...] }}
});

// 3. Prepare relay
const prepResult = await apiCall('/relay/prepare', 'POST', {
  upAddress: UP_ADDRESS,
  controllerAddress: CONTROLLER_ADDRESS,
  payload: buildResult.data.derived.upExecutePayload
});

// 4. Sign raw digest (CRITICAL!)
const signature = wallet.signingKey.sign(ethers.getBytes(prepResult.data.hashToSign));

// Submit
const submitResult = await apiCall('/relay/submit', 'POST', {
  upAddress: UP_ADDRESS,
  payload: buildResult.data.derived.upExecutePayload,
  signature: signature.serialized,
  nonce: prepResult.data.lsp15Request.transaction.nonce,
  validityTimestamps: prepResult.data.lsp15Request.transaction.validityTimestamps,
  relayerUrl: prepResult.data.relayerUrl
});

Negative Examples

WRONG: Using wrong signing method

// WRONG - adds EIP-191 prefix
await wallet.signMessage(hashToSign)

// CORRECT - sign raw bytes
wallet.signingKey.sign(ethers.getBytes(hashToSign))

WRONG: Wrong IPFS endpoint

// WRONG
POST /api/agent/v1/pinata

// CORRECT
POST /api/pinata  (no /agent/v1 prefix!)

WRONG: Missing credentials

// DON'T proceed if env vars not set
if (!process.env.FM_PRIVATE_KEY) {
  throw new Error('FM_PRIVATE_KEY not set - check .credentials');
}

Templates

Post Moment with Image

const metadata = {
  LSP4Metadata: {
    name: "Moment Title",
    description: "Description text",
    images: [[{
      width: 1024, height: 1024,
      url: `ipfs://${cid}`,
      verification: { method: "keccak256(bytes)", data: "0x" }
    }]],
    tags: ["art", "lukso"]
  }
};

LSP4 Metadata Structure

FieldRequiredFormat
nameYesString, max 100 chars
descriptionYesString, max 1000 chars
imagesNoArray of arrays with IPFS URLs
iconNoSingle image for thumbnail
tagsNoArray of strings, max 10 tags

Edge Cases

ScenarioHandling
Pollinations rate limitWait 60s, retry with backoff
DALL-E not configuredFall back to Pollinations (free)
IPFS pin failsRetry once, then fail with error
INVALID_SIGNATURECheck signing method (raw digest!)
RELAY_FAILEDVerify controller has EXECUTE_RELAY_CALL permission
Collection already joinedSkip join, proceed with post
Cron timeout (180s)Increase timeout or optimize image generation

Required Environment Variables

# Required for all operations
export FM_PRIVATE_KEY="0x..."           # Controller private key
export FM_UP_ADDRESS="0x..."            # Universal Profile address
export FM_CONTROLLER_ADDRESS="0x..."    # Controller address

# Optional (has default)
export FM_COLLECTION_UP="0x439f..."     # Default collection

# For premium images
export DALLE_API_KEY="sk-..."           # OpenAI API key

Image Generation Options

MethodCostQualityBest For
Pollinations.aiFREEGoodCron jobs, bulk posting
DALL-E 3$0.04/imgExcellentManual posts, premium content

Known Collections

  • Art by the Machine (AI art): 0x439f6793b10b0a9d88ad05293a074a8141f19d77

API Base URL

https://www.forevermoments.life/api/agent/v1

Note: IPFS pin endpoint is /api/pinata (NOT under /api/agent/v1)

Success Indicators

Good response:

{
  "success": true,
  "data": {
    "ok": true,
    "responseText": "{\"transactionHash\":\"0x...\"}"
  }
}

Bad response:

{
  "success": false,
  "error": "INVALID_SIGNATURE"
}

Related Tools

  • universal-profile skill - For UP/KeyManager operations
  • bankr skill - For direct LYX transactions (if gasless fails)
  • lsp28-grid skill - For profile grid management

Comments

Loading comments...