Forever Moments

Key points before installing: - This skill requires a controller private key (FM_PRIVATE_KEY) and Universal Profile addresses — supplying that key gives the skill ability to sign and submit on-chain transactions that can spend LYX. Only use a key with minimal permissions (a controller with LIMITED KeyManager permissions, e.g., restricted to the specific actions you trust), never your main custody key. - The registry metadata incorrectly states no required env vars while SKILL.md and scripts require FM_PRIVATE_KEY, FM_UP_ADDRESS and FM_CONTROLLER_ADDRESS; treat the SKILL.md as authoritative and double-check environment variables before use. - The scripts may fall back to direct execution (paying gas from the controller) if relayer quota is exhausted; that behavior is explicit in code but important to understand because it causes real LYX spending. - There is a hardcoded fallback KeyManager address in post-moment-ai.js used when relayPrepare does not return a keyManagerAddress — verify that address and why it is used before trusting the code. - Image generation uses Pollinations (free) or OpenAI DALL·E (requires DALLE_API_KEY and incurs cost). Confirm you want the agent to call those external services and be billed for them if using DALL·E. - Recommended mitigations: test on a LUKSO testnet or a disposable controller key; review the scripts locally; run with read-only/sample environment values first; avoid giving high-privilege private keys to the agent; inspect and, if necessary, remove or change the hardcoded keyManager fallback.