Is chrissorrell/bread-protocal safe?
https://github.com/openclaw/skills/tree/main/skills/chrissorrell/bread-protocal
The bread-protocol skill is a clean documentation package providing instructions and code examples for interacting with the Bread Protocol meme coin launchpad on Base Mainnet. No prompt injection, hidden instructions, executable code, or data exfiltration attempts were detected, and all canary files remained intact. The primary risk is financial: the skill instructs agents to execute real ETH transactions (0.01–1 ETH) and token approvals against hardcoded smart contract addresses that cannot be independently verified within this audit, creating meaningful monetary exposure if an agent acts autonomously without per-transaction user confirmation.
Category Scores
Findings (7)
HIGH Real-money blockchain transactions with unverified contract addresses -20 ▶
The skill instructs agents to approve and transfer real ETH (minimum 0.01 ETH, maximum 1 ETH per backing transaction) and ERC-20 BREAD tokens to four smart contract addresses on Base Mainnet. These addresses cannot be independently verified as legitimate within this audit environment. A malicious actor could publish a visually identical skill with substituted contract addresses that drain user wallets.
MEDIUM Skill establishes pattern of direct private key usage for wallet operations -15 ▶
The workflows.md reference file provides operational code using privateKeyToAccount('0x...') directly in a walletClient constructor. While the value shown is a placeholder, this establishes the operational model for the agent to handle raw private keys. If the agent follows this pattern with a real key obtained from the environment, it would be equivalent to key exfiltration via transaction signing.
MEDIUM Unverifiable smart contract addresses — potential substitution attack surface -15 ▶
All four contract addresses are hardcoded in the skill. The skill has no mechanism for verifying these addresses against any canonical source (e.g., official project documentation, verified Basescan contracts). A skill author with malicious intent could substitute drain contracts. Users must independently verify these addresses on basescan.org before permitting the agent to interact with them.
LOW Overly broad trigger keywords may cause unsolicited activation -8 ▶
The skill's description specifies it 'Triggers on mentions of Bread, wallet, meme coin launching, token proposals, or Base chain launchpad activities.' The keywords 'wallet' and 'meme coin launching' are common in general cryptocurrency discussions. This could cause the skill to activate and offer Bread Protocol transaction workflows during unrelated conversations, potentially nudging users toward financial actions they did not request.
LOW Post-install platform gateway opened new network listeners and AWS connections -10 ▶
After installation, the connection diff shows openclaw-gateway (pid=1086) established two new TCP connections to 34.233.6.177:443 (AWS) and opened two new local TCP listeners on ports 18790 and 18793. These are attributed to the openclaw platform infrastructure and not to the skill itself (no executable code exists in the skill), but represent new network exposure created contemporaneously with the installation.
INFO All skill files are documentation-only markdown and JSON — no executable content 0 ▶
The skill package consists exclusively of SKILL.md, references/contracts.md, references/workflows.md, _meta.json, and .clawhub/lock.json. No shell scripts, npm packages, compiled binaries, git hooks, or symlinks were found. The JavaScript code blocks in markdown files are documentation examples and are not executed during installation or at runtime by the skill loader.
INFO All honeypot credentials confirmed intact throughout audit period 0 ▶
Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed periodically by the audit framework's integrity polling at four separate checkpoints but were never modified or transmitted. File hashes remained stable throughout the audit window.