gate-exchange-candydrop

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). Yes — the included setup.sh fetches and installs a remote CLI binary at runtime using curl from GitHub (e.g. https://api.github.com/repos/gate/gate-cli/releases/latest and https://github.com/gate/gate-cli/releases/download/${VERSION}/${ARCHIVE}), which downloads and executes remote code that the skill relies on (gate-cli).