Million Bit Homepage NFTs
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: millionbit-mint Version: 1.0.0 The OpenClaw AgentSkills skill bundle is classified as benign. All scripts and helper modules are focused on their stated purpose of preparing an NFT mint transaction for the Million Bit Homepage. The skill explicitly outputs the prepared transaction JSON for an external EVM wallet skill to submit, rather than submitting it directly, which is a strong positive security indicator. Network interactions are limited to read-only `eth_call` operations to a hardcoded public Base RPC endpoint, and there is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in the `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously crafted image filename could cause code to run on the user's machine when preparing a mint.
The image path comes from a positional argument and is inserted directly into JavaScript source passed to node -e instead of being passed as argv or safely escaped.
IMAGE_PATH="${POSITIONAL[0]}" ... IMG_INFO=$(node -e "... sharp('$IMAGE_PATH').metadata().then(m => { ...")Do not use this script on untrusted filenames until fixed. The maintainer should pass the path as a Node argument or environment variable and avoid embedding it in node -e source.
If signed, the transaction spends ETH and permanently mints the selected image/link on-chain.
The skill intentionally prepares a payable blockchain transaction for another wallet tool to submit.
Pass the output JSON to your **EVM wallet skill** to execute the transaction on **Base chain (chainId 8453)**. The key fields are: ... `value` -- ETH to send
Before signing, verify the Base chain ID, contract address, ETH value, calldata description, coordinates, image, and URL; require explicit wallet approval.
Installing dependencies may fetch package versions not fully pinned by the artifact, which can affect reproducibility and supply-chain review.
The skill relies on npm packages with semver ranges, including native image-processing dependency sharp.
"dependencies": { "pako": "^1.0.10", "ethers": "^6.13.0", "sharp": "^0.33.0" }Install in a sandbox or pinned environment, review the generated lockfile, and prefer exact dependency versions for distribution.