gate-dex-wallet

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill requires the agent to include the mcp_token value as a parameter in CallMcpTool requests (e.g., arguments={..., mcp_token: "<mcp_token>"}), which forces the LLM to handle/emit a secret value verbatim in generated tool calls and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly ingests and parses untrusted user-provided ABI/contract calldata as part of DApp flows (see references/dapp.md Flow E "Arbitrary Contract Call (User Provides ABI)"), and uses that parsed data to build, sign, and broadcast transactions, so third-party content can directly influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime calls to the external MCP server URL https://api.gatemcp.ai/mcp/dex (e.g., CallMcpTool for auth.google_login_start, tx.transfer_preview, etc.), and those responses include user-facing fields like verification_url and confirm_message that the agent must display and rely on—meaning remote content can directly control prompts/instructions at runtime.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto wallet with modules for "Transfer" (gas estimation, transaction building, signature broadcast), DApp interactions, and signing. It routes transfer operations to a transfer reference and lists wallet transaction and transfer-related capabilities. These are specific blockchain financial execution functions (wallet transfers, signing, broadcasting transactions), not generic tooling—so it grants direct financial execution authority.