Bread Protocal

WarnAudited by ClawScan on May 10, 2026.

Overview

The skill is coherent for a crypto launchpad, but it involves private-key wallet control and irreversible on-chain transactions without clear safeguards or approval boundaries.

Only install or use this if you are comfortable with crypto transaction risk. Treat it as financial tooling: never share a main wallet private key, use a low-balance dedicated wallet, verify all contract addresses independently, and require manual confirmation before any approval, proposal, backing, claim, or refund transaction.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI03: Identity and Privilege Abuse

What this means

If a raw private key is given to an agent, script, or unsafe environment, the associated wallet funds and tokens could be spent or approved without practical recovery.

Why it was flagged

A wallet private key grants full signing authority for that account. The skill does not define safe handling boundaries, limited delegation, or a declared credential contract for this authority.

Skill content

You need an Ethereum wallet with:
- A private key (for signing transactions)
...
const account = privateKeyToAccount('0x...');

Recommendation

Do not provide a main-wallet private key to the agent. Use a hardware/browser wallet, a dedicated low-balance wallet, or narrowly scoped delegated signing, and require explicit approval for every transaction.

High

#ASI02: Tool Misuse and Exploitation

What this means

The agent could help initiate irreversible financial transactions or token approvals with real wallet assets if connected to signing tools.

Why it was flagged

The workflow instructs the agent to perform direct contract writes that transfer ETH. Similar examples approve BREAD spending, but the instructions do not clearly require a user review step before signing.

Skill content

const backTx = await walletClient.writeContract({
  address: bakeryAddress,
  abi: bakeryAbi,
  functionName: 'backProposal',
  args: [proposalId],
  value: ethAmount  // Include ETH value
});

Recommendation

Before any writeContract call, require a user-visible confirmation showing contract address, function name, proposal ID, ETH amount, token approval amount, gas estimate, and whether the action is reversible.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

A user could rely on contract addresses or workflow guidance without confirming that they match the official protocol.

Why it was flagged

For a skill that directs users to specific financial smart-contract addresses, the lack of source and homepage provenance makes independent address verification important.

Skill content

Source: unknown
Homepage: none

Recommendation

Verify the contract addresses and website through official Bread Protocol channels and BaseScan before connecting a wallet or signing transactions.