gate-exchange-affiliate

SUSPICIOUS. The business purpose and API scope are mostly coherent for an affiliate-reporting skill, and there is no clear exfiltration or malicious automation. However, the core install path is inconsistent with Gate’s documented MCP setup: the skill tells the agent to install an unverified `gate-mcp` package, while official Gate docs reference a hosted MCP endpoint and a different client workflow. Because authenticated partner data would flow through external tooling of unclear provenance, the skill carries high supply-chain and credential-forwarding risk despite an otherwise plausible purpose.