gate-dex-mcpswap

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill requires the agent to include the raw mcp_token value as an argument in many CallMcpTool calls (even though examples use a placeholder and UI display is masked), which forces the LLM to emit the secret verbatim into tool-call outputs/requests and therefore creates an exfiltration risk.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill requires a configured MCP server URL (e.g. https://your-mcp-server-domain/mcp) that the agent calls at runtime (CallMcpTool / FetchMcpResource) to obtain quotes and invoke tx.swap which executes remote operations, so this external endpoint is a required runtime dependency that can execute code/operations affecting the agent flow.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform cryptocurrency swaps and on-chain transactions. It includes specific MCP tools for blockchain financial operations: tx.quote (quote for swaps), tx.swap (one-shot Build→Sign→Submit swap execution returning tx_hash and tx_order_id), tx.swap_detail (transaction status), and wallet.get_addresses / wallet.get_token_list for wallet and balance handling. It supports EVM and Solana, cross-chain swaps, handles native vs wrapped tokens, token approvals, and signing/approval confirmations. These are concrete crypto financial execution APIs (wallet operations, signing, submitting transactions) — not generic callers — therefore it grants Direct Financial Execution Authority.