gate-exchange-flashswap

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs the agent to read external runtime rules hosted on GitHub (e.g., the gate-runtime-rules.md link in SKILL.md) and includes a required setup.sh that downloads the gate-cli binary from GitHub releases—both are open/public third-party sources the agent is expected to fetch and whose content can directly affect decision-making and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup.sh explicitly downloads and installs remote binaries at runtime (it queries https://api.github.com/repos/gate/gate-cli/releases/latest and downloads from https://github.com/gate/gate-cli/releases/download/.../${ARCHIVE}), which fetches and installs remote executable code that the skill may run — a runtime remote-code dependency.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform cryptocurrency swaps via a CLI that calls exchange-specific create APIs. It lists authenticated gate-cli commands that create orders (e.g., gate-cli cex flash-swap create-v1, create-one-to-many, create-many-to-one), requires API credentials (GATE_API_KEY / GATE_API_SECRET) with write permissions, and describes confirmation / one-click execution flows that will execute real swaps. These are direct crypto/financial execution operations (not generic tooling), so it grants Direct Financial Execution Authority.