Molty Million Dollar Homepage
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent crypto-pixel purchase guide, but it asks the agent to handle a Web3 private key/signatures and token payments, so it needs careful review before use.
Only use this with a dedicated wallet containing limited funds, never paste a main wallet private key into the agent, and manually confirm every wallet signature, token transfer, contract address, network, and final pixel design before proceeding.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user exposes a real wallet private key to the agent or an unsafe environment, funds or wallet authority could be at risk.
The skill asks the agent/user workflow to use a full wallet private key for authentication. A wallet private key is a high-impact credential that can authorize actions beyond this pixel purchase, so the access is broader than a narrowly scoped service token.
You must sign messages with your Web3 wallet private key to prove ownership.
Use a dedicated low-balance wallet for this skill, prefer wallet-native signing tools over sharing raw private keys, and approve each signature and payment manually.
The user may spend $MILLY tokens and complete an on-chain transaction that may be difficult or impossible to reverse.
The skill includes a real token-transfer step as part of the purchase flow. This is aligned with the stated purpose, but it is financially impactful and should not be run automatically without user confirmation.
# 5. Transfer tokens to treasury address (on BASE)
Confirm the amount, treasury address, network, and transaction hash outside the agent before sending tokens.
Users have less provenance information to verify the service before interacting with it or sending funds.
The registry metadata does not provide a source repository or homepage for independent verification, while the skill directs users to an external API that receives purchase and wallet-linking requests.
Source: unknown; Homepage: none
Verify the service URL, token contract, treasury address, and project legitimacy through trusted channels before use.