gate-mcp-codex-installer
Audited by Snyk on Mar 14, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The prompt embeds a fixed API key (MCP_AK_8W2N7Q) and instructs writing config entries and prompting users to supply API keys/secrets, which requires emitting secret values verbatim into config/commands, creating an exfiltration risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). The installer explicitly clones and installs all skills from the public GitHub repo https://github.com/gate/gate-skills (see scripts/install.sh and SKILL.md) and instructs restarting Codex to load those third-party skills/MCPs, meaning untrusted external code/content will be ingested and can influence agent behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The installer script performs a runtime git clone of the remote repository https://github.com/gate/gate-skills.git (by default, unless --no-skills) and copies those fetched "skills" into Codex's skills directory, which will be loaded by the agent and can directly control prompts and execute code.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). The document contains a concrete, literal API key value: "MCP_AK_8W2N7Q" is explicitly specified as the fixed x-api-key and written to config.toml. This is not a placeholder (e.g., YOUR_API_KEY) or an env-var name — it is a hardcoded credential embedded in the config and therefore should be treated as a secret.
I am ignoring values that are placeholders or references only (e.g., ${GATE_MCP_TOKEN}, GATE_API_KEY, GATE_API_SECRET) because those are environment variable names or instructions to the user rather than actual secret values.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The installer is explicitly for integrating Gate MCP servers (including "Gate (main)" and "Gate Dex") and gate-skills into Codex, and it references spot/futures trading and web3 wallet binding. It instructs users to create and set GATE_API_KEY and GATE_API_SECRET for trading and describes Gate-Dex wallet OAuth steps. These are specific, finance-focused integrations (crypto exchange APIs and wallet/OAuth setup), not generic tooling. Therefore it provides direct financial execution capability risk.
Issues (5)
Insecure credential handling detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).