Forever Moments
Security checks across malware telemetry and agentic risk
Overview
This skill is purpose-aligned for Forever Moments, but it uses a blockchain controller private key and can fall back to spending gas directly without clear user approval.
Review this skill carefully before installing. If you use it, create a dedicated low-permission LUKSO controller key, fund it minimally, avoid enabling direct transaction fallback unless you accept gas costs, and do not enable cron posting unless you are comfortable with automated public blockchain posts.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or using the skill may give the agent practical signing authority over a LUKSO Universal Profile controller, including public posts and token-related actions.
The skill requires a controller private key capable of signing LUKSO account actions, while the supplied registry metadata declares no required environment variables or primary credential.
export FM_PRIVATE_KEY="0x..." # Controller private key export FM_UP_ADDRESS="0x..." # Universal Profile address export FM_CONTROLLER_ADDRESS="0x..." # Controller address
Use a narrowly permissioned controller key, verify the registry metadata gap before installation, and avoid using a wallet/controller that can perform unrelated or high-value actions.
A user may unexpectedly spend LYX gas from the controller account during an AI image post if the relayer cannot cover the transaction.
The AI posting script automatically switches from gasless relay to a direct blockchain transaction funded by the controller when relay quota is exhausted, without an explicit approval step in the code path.
console.log('⚠️ Relayer quota exhausted. Falling back to direct execution (paying gas from controller)...');
return await directExecute(relayPrepare.data.keyManagerAddress, payload);Require explicit user confirmation before any direct transaction fallback, or disable direct execution unless the user has deliberately opted in.
If configured, the skill could keep posting generated content on a schedule without reviewing each post individually.
The README documents a recurring cron-style setup for automated AI-generated posting. This is disclosed and aligned with the skill purpose, but it creates ongoing public activity if enabled.
"schedule": { "kind": "every", "everyMs": 27000000 }, // 7.5 hours
"message": "node /path/to/post-moment-ai.js --random"Only enable scheduled posting with clear limits, a low-privilege controller, and monitoring for each generated post and transaction.
Dependency versions may vary between installs, which can affect reliability and supply-chain reviewability.
The README instructs manual installation of unpinned npm packages, and the skill has no install spec or lockfile in the supplied artifacts.
npm install ethers form-data
Install from a trusted source, prefer pinned dependency versions with a lockfile, and confirm all required packages before running the scripts.