Million Bit Homepage NFTs
v1.0.0Mint an image as an NFT plot on the Million Bit Homepage, a permanent 1024x1024 pixel canvas on the Base blockchain. Use this skill when you want to advertise your project, display your image on-chain, or claim a piece of the Million Bit Homepage canvas. Handles image resizing, plot availability checking, price querying, pixel encoding, and transaction preparation. Requires an EVM wallet skill to submit the final transaction on Base chain.
⭐ 0· 890·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description promise (resize image, check availability & price, encode pixels, ABI-encode calldata, prepare tx JSON) matches the included scripts and helpers. Dependencies (ethers, sharp, pako) are appropriate for ABI encoding, image processing, and compression. The RPC URL and contract address are present and used only for on-chain queries. No unrelated services or credentials are requested.
Instruction Scope
SKILL.md instructs running npm install and the provided scripts. The scripts only read the provided image file(s), call the Base RPC endpoint for contract queries, and write temporary/expected outputs (resized image, compressed pixel file, final tx JSON). The skill explicitly delegates signing/sending to an external EVM wallet skill (it does not request private keys). There are no instructions to read user shell history, arbitrary files, or to exfiltrate data to unexpected endpoints.
Install Mechanism
There is no registry install spec; the README asks the user to run npm install in the skill directory. That will pull packages from the public npm registry (ethers, sharp, pako). npm installs are a normal way to set up Node tools but carry the usual supply-chain risks (native builds for sharp, network download). This is expected for the functionality but worth noting: dependencies come from npm and require build tools, and npm install runs code from the package ecosystem.
Credentials
The skill declares no required environment variables or secrets and does not attempt to access unrelated config paths. It uses a hardcoded public RPC endpoint by default (https://mainnet.base.org) and allows overriding via CLI in find_plots.js. It correctly relies on an external EVM wallet skill to submit transactions rather than bundling signing functionality or requesting private keys.
Persistence & Privilege
The skill does not request 'always' presence, does not modify other skills, and operates transiently (uses a temporary directory for intermediate files). It does not try to persist credentials or alter system-wide agent settings.
Assessment
This skill appears to do exactly what it says: prepare an on-chain mint transaction for the Million Bit Homepage and hand it to your EVM wallet for signing. Before installing/using it: 1) Inspect package.json and the node scripts (you already have the source) and verify the contract address and RPC endpoint are expected; 2) Run npm install only in a controlled environment (or review npm packages) because npm packages (sharp) build native code and come from the public registry; 3) Use --dry-run to test the encoding pipeline before spending funds; 4) Ensure you use a trusted EVM wallet skill to sign transactions (the skill prepares calldata/value but does not sign); 5) Avoid running as privileged user and consider running in a sandbox/container if you have concerns about installing dependencies from an unknown source.Like a lobster shell, security has layers — review code before you run it.
latestvk977rgx83sdtbba282zf57dhfs80rx5d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.