Million Bit Homepage NFTs
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted image filename could cause code to run on the user's machine when preparing a mint.
The image path comes from a positional argument and is inserted directly into JavaScript source passed to node -e instead of being passed as argv or safely escaped.
IMAGE_PATH="${POSITIONAL[0]}" ... IMG_INFO=$(node -e "... sharp('$IMAGE_PATH').metadata().then(m => { ...")Do not use this script on untrusted filenames until fixed. The maintainer should pass the path as a Node argument or environment variable and avoid embedding it in node -e source.
If signed, the transaction spends ETH and permanently mints the selected image/link on-chain.
The skill intentionally prepares a payable blockchain transaction for another wallet tool to submit.
Pass the output JSON to your **EVM wallet skill** to execute the transaction on **Base chain (chainId 8453)**. The key fields are: ... `value` -- ETH to send
Before signing, verify the Base chain ID, contract address, ETH value, calldata description, coordinates, image, and URL; require explicit wallet approval.
Installing dependencies may fetch package versions not fully pinned by the artifact, which can affect reproducibility and supply-chain review.
The skill relies on npm packages with semver ranges, including native image-processing dependency sharp.
"dependencies": { "pako": "^1.0.10", "ethers": "^6.13.0", "sharp": "^0.33.0" }Install in a sandbox or pinned environment, review the generated lockfile, and prefer exact dependency versions for distribution.