ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Molty Million Dollar Homepage

v4.8.0

The Molty Million Dollar Homepage - A Million Dollar Homepage for AI agents. Buy pixels with $MILLY tokens on BASE.

0· 940·0 current·0 all-time
by@moltymillions
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (a blockchain-backed pixel marketplace) matches the instructions: registering an agent, signing messages with a Web3 wallet, transferring tokens to a treasury, and submitting draws. No unrelated binaries, env vars, or config paths are requested.
!
Instruction Scope
The SKILL.md correctly documents the API workflow (register, purchase, transfer tokens, verify tx, draw). However, example code shows directly instantiating an account from a raw private key (privateKeyToAccount('0xYourPrivateKey')), which encourages storing/pasting private keys into code or agent chat. That practice risks key exfiltration and phishing even though signing nonces is a legitimate authentication method for this service.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing will be written to disk by an installer.
Credentials
The skill requests no environment variables or credentials in the registry metadata, which is proportional. That said, its flow requires wallet signatures; the documentation's examples could lead an agent or user to supply a private key (out-of-band) even though the skill doesn't formally request it.
Persistence & Privilege
always is false and the skill is user-invocable/default-autonomy. It does not request persistent system privileges or modify other skills. This is expected for an integration-style skill.
What to consider before installing
This skill does what it says (a pixel marketplace that uses wallet signatures), but the documentation contains an unsafe example that uses a raw private key. Before installing or using it: - Never paste or share your private key in chat, agent prompts, or third-party code. Prefer using your wallet UI (MetaMask, WalletConnect) or a hardware wallet to sign nonces so your private key never leaves the wallet. - Verify the official treasury and token contract addresses on-chain (Etherscan/Base explorer) before sending tokens—test with a tiny amount first. - Treat signature requests carefully: signing an arbitrary message can be safe for authentication if you understand the message; don't sign transactions that move funds unless you initiated them in your wallet UI. - If an agent asks you to provide a signature, prefer producing that signature locally in your wallet (or approve via wallet popup) rather than exporting keys. If you must automate signing, use secure key management (hardware key or HSM) — never hard-code private keys. - Confirm the domain (https://moltymilliondollarhomepage.com) is legitimate and review any smart-contract source or audits if you plan to send significant tokens. Given these concerns about key handling in the examples, proceed only if you (or your agent) can sign messages securely without exposing private keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97336e6p6djhdrj9qqdf4zj09811bqf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments