📸 Forever Moments — LUKSO 社交铸造
v1.0.0在 LUKSO 链上发布 LSP8 NFT 时刻、铸造 LIKE 代币、创建/加入收藏,体验去中心化社交互动。
4· 643·0 当前·0 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceThe skill largely does what its description claims (posting LSP8 moments, minting LIKES, pinning to IPFS and using relayers), but the package metadata omits required secret/config declarations and the runtime code includes behaviors (direct fallback execution, a hardcoded KeyManager address) that merit caution before installing.
评估建议
Key points before installing:
- This skill requires a controller private key (FM_PRIVATE_KEY) and Universal Profile addresses — supplying that key gives the skill ability to sign and submit on-chain transactions that can spend LYX. Only use a key with minimal permissions (a controller with LIMITED KeyManager permissions, e.g., restricted to the specific actions you trust), never your main custody key.
- The registry metadata incorrectly states no required env vars while SKILL.md and scripts requ...详细分析 ▾
ℹ 用途与能力
Code and SKILL.md match the described purpose: building/pinning metadata, calling Forever Moments build endpoints, preparing relays, signing digests and submitting transactions, minting LIKES, and generating images (Pollinations or DALL·E). The use of a controller private key and UP/controller addresses is expected for these on‑chain operations. However, the registry metadata (requirements section) claims 'Required env vars: none' which contradicts SKILL.md and the scripts that require FM_PRIVATE_KEY, FM_UP_ADDRESS and FM_CONTROLLER_ADDRESS.
ℹ 指令范围
SKILL.md and scripts are explicit about the 4-step flow (pin → build → prepare → sign → submit) and include concrete commands. The instructions require reading environment variables for private keys and calling external endpoints (forevermoments API, Pollinations, OpenAI). They also instruct the agent to sign raw digests (correct for LUKSO relays). This scope is appropriate for a wallet/controller-based minting skill, but grants the agent the ability to create on-chain transactions that spend LYX if the provided private key has permissions.
✓ 安装机制
No install spec is included (instruction-only with bundled scripts). That lowers install risk: nothing will be automatically downloaded from arbitrary URLs. The repo includes local JS scripts; the README suggests installing standard npm deps (ethers, form-data) which is proportionate.
⚠ 凭证需求
The scripts require FM_PRIVATE_KEY, FM_UP_ADDRESS, and FM_CONTROLLER_ADDRESS (and optionally DALLE_API_KEY). These are proportionate to the function (signing relay digests, identifying the UP). The concern: the registry metadata lists no required env vars (incoherent with SKILL.md and code). Users may unknowingly install a skill that needs a controller private key. Additionally, the skill will sign and (if relay unavailable) directly send transactions using the provided private key — this is a sensitive capability and should only be used with a limited-permission controller key, not a full custody key.
✓ 持久化与权限
always:false (default) and model invocation allowed (default). The skill does not request permanent presence or modify other skills. Autonomous invocation is permitted by platform default; that increases impact if a private key is supplied, but is not in itself unusual.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/19
Initial release
● 可疑
安装命令
点击复制官方npx clawhub@latest install forever-moments
镜像加速npx clawhub@latest install forever-moments --registry https://cn.longxiaskill.com