Is millionbithomepage/millionbit-mint safe?

https://github.com/openclaw/skills/tree/main/skills/millionbithomepage/millionbit-mint

78
CAUTION

The millionbit-mint skill is a functionally coherent NFT minting tool for the Million Bit Homepage on Base blockchain, with clean SKILL.md content and expected installation behavior. The primary security risk is a shell injection vulnerability in prepare_mint.sh where the $IMAGE_PATH argument is interpolated unsanitized into an inline Node.js string, enabling arbitrary code execution and local file exfiltration if an attacker can influence the image path (e.g., via prompt injection from another channel). The skill also poses meaningful financial risk for autonomous agents, as it explicitly targets AI agents and bots while producing ready-to-submit ETH transactions with no built-in confirmation gate, and the six credential file reads during the monitoring window — while most likely attributable to monitoring infrastructure — could not be definitively attributed to a non-skill process from the available audit records.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 50/100 · 5%

Findings (8)

HIGH Shell Injection via Unsanitized $IMAGE_PATH in prepare_mint.sh -28

In prepare_mint.sh, the $IMAGE_PATH argument is interpolated directly into a node -e inline script string without escaping. The JS string uses single quotes around the path literal. Any image path containing a single quote can break out of the JS string and execute arbitrary Node.js code with the agent's runtime privileges. In an agent context, image paths frequently originate from user requests or other tools and are trivially attacker-controlled via prompt injection from a separate channel.

HIGH Skill Prepares Real ETH Transactions With No Confirmation Gate for Autonomous Agents -25

The prepare_mint.sh script produces a complete, submission-ready transaction JSON including hex-encoded ETH value. The SKILL.md explicitly markets this to AI agents and bots. When loaded into an agent's context, the agent may invoke this skill autonomously in response to ambiguous user requests, resulting in real on-chain fund expenditure without explicit user approval for each transaction.

MEDIUM Six Sensitive Credential Files Read During Monitoring Window -15

inotifywait and auditd both record OPEN+ACCESS+CLOSE_NOWRITE operations on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json. First access (1771907727.823) occurs 24ms after 'ss -tunap' and 6 seconds before the git clone begins, making skill-code causation impossible. Second access (1771907752.013) occurs during post-install integrity sweep. Attribution to monitoring infrastructure canary baseline and verification is the most parsimonious explanation, and canary integrity report confirms no modification. However, the process responsible cannot be positively confirmed from the audit record provided.

MEDIUM Shell Injection Enables Arbitrary Local File Read at Runtime -15

The same $IMAGE_PATH injection vector in prepare_mint.sh can be used to read arbitrary local files. A crafted path that breaks out of the Node.js string can call require('fs').readFileSync() on any file accessible to the agent process (e.g., ~/.ssh/id_rsa, .env, .aws/credentials) and transmit contents over any available network channel.

MEDIUM Cross-Skill EVM Wallet Dependency Creates Transaction Interception Surface -15

The skill design requires passing its JSON output to a separate EVM wallet skill. A compromised or malicious wallet skill installed in the same agent could intercept the transaction object (to, value, data) and redirect funds or call a different contract function without the user's knowledge.

LOW Install Contacts Multiple External Servers for npm Dependencies -12

npm install contacts Canonical/Ubuntu package servers (91.189.91.49, 185.125.188.58, 185.125.188.59) in addition to GitHub. All destinations resolve to expected registries for pako, ethers, and sharp. No unexpected third-party or attacker-controlled servers observed.

LOW SKILL.md Uses Agent-Targeting Marketing Language -15

While not a prompt injection attack, the SKILL.md includes copy specifically encouraging AI agents and bots to autonomously spend cryptocurrency to establish 'permanent identity on-chain.' This framing nudges agents toward autonomous financial actions that may not align with user intent.

INFO No Malicious npm Scripts, Git Hooks, Submodules, or Symlinks Found 0

package.json contains no preinstall, postinstall, or other lifecycle scripts. No .gitattributes smudge/clean filter hooks, .gitmodules submodule references, .githooks directory, or symlinks pointing outside the repository were found during audit.