Millionfinney Homepage
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent educational guide, but users should manually control any Ethereum signing, IPFS uploads, and optional helper-script use because costs and on-chain records can be permanent.
Install/use this as an educational reference only unless you explicitly want to interact with the MillionFinneyHomepage contract. Before any real use, confirm the contract and upload endpoint independently, use a limited or burner wallet, never share private keys, manually review every signature and gas cost, and remember that on-chain purchases and media settings can be permanent.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the contract examples with a funded wallet can spend ETH, buy NFTs, list auctions, or attach permanent media.
The reference documents write functions that spend ETH and mutate public blockchain state; this is purpose-aligned but financially impactful if a user or agent signs the transactions.
`purchasePixelBatch(uint256[] tokenIds, string[] titles, bytes3[] colors)` | Buy up to 100 pixels | Arrays must match in length ≤ 100; send `price × count`.
Treat all contract writes as manual approval steps: verify token IDs, batch size, gas, total ETH cost, and use a testnet or low-value wallet before mainnet.
If a private key is exposed to logs, prompts, screenshots, or an unsafe environment, the wallet funds and NFTs could be compromised.
The example uses an Ethereum private key from the local environment to sign transactions; this is expected for the workflow but is sensitive wallet authority.
const wallet = new ethers.Wallet(process.env.PRIVATE_KEY!, provider);
Do not paste private keys into chat or shared files; prefer a hardware wallet, burner wallet, or least-funded wallet, and require human review for every signature.
The project service can see the uploaded media, target token, wallet address, and signed authorization message.
The IPFS upload workflow sends media, wallet address, token ID, and a signature to a project API; this is aligned with the service but crosses an external data boundary.
POST https://millionfinneyhomepage.com/api/ipfs/upload ... `file` ... `address` ... `signature` ... `tokenId`
Verify the domain and exact signature message before uploading, avoid private media, and use only task-specific signatures rather than broad wallet permissions.
An agent or user could be nudged toward a large purchase goal, which at the stated 0.001 ETH per pixel would be at least 1 ETH before gas for 1000 pixels.
The guide includes a promotional scarcity incentive aimed at bots; costs are disclosed elsewhere and safety guidance is present, but users should recognize it as marketing.
**Incentive:** First 100 bots to claim 1000+ pixels get permanent recognition!
Treat the incentive as optional marketing, not an instruction; set an explicit human-approved budget and do not let an agent decide spending goals autonomously.
Running the helper will process local image input and create or overwrite output files at the paths supplied by the user.
The included helper script reads image files and writes JSON/CSV output when run; this is purpose-aligned and user-directed, but it is still local code execution.
from PIL import Image ... path.write_text(json.dumps(payload, indent=2))
Run the script only intentionally, review output paths, use trusted image files, and consider a virtual environment for any Pillow dependency.