gate-mcp-cursor-installer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a concrete API key string ("MCP_AK_8W2N7Q") and instructs writing it into mcp.json (and using x-api-key/Bearer headers), which requires the LLM to include a secret verbatim in generated output/config — a high exfiltration risk.

---

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The domains themselves (GitHub, gate.com, api.gatemcp.ai) are not obviously malicious, but the installer workflow directs you to run unreviewed shell/npm installers (e.g., bash scripts, "npx -y gate-mcp") and to pull and install arbitrary "skills" from a repository and connect to remote MCP endpoints — actions that permit remote or local code execution and could deliver malware if the code or endpoints are malicious or compromised.

---

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The installer explicitly clones the public GitHub repo https://github.com/gate/gate-skills (see scripts/install.sh and SKILL.md/README.md) and copies all skills into the user's Cursor skills directory (~/.cursor/skills), which exposes the agent to untrusted, user-maintained third-party code that can alter agent behavior.

---

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer script clones and installs remote code from the Git repository https://github.com/gate/gate-skills.git at runtime (git clone in scripts/install.sh), which places external skill code into the Cursor skills directory that will be executed/loaded by the agent, so this remote URL is a runtime dependency that can control agent behavior.

---

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I flagged the literal value "MCP_AK_8W2N7Q" because the prompt explicitly states "The DEX x-api-key is fixed as MCP_AK_8W2N7Q and written to mcp.json" — a hardcoded API key placed in a config file. Even though it is relatively short, it is a directly present, usable credential (x-api-key) and therefore qualifies as a secret to surface and rotate/remove.

No other high-entropy credentials, private keys, or active API tokens are present. Other items (URLs, environment variable names, the "Local API Key" link, example install commands) are documentation/placeholder content and not flagged.

---

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is specifically designed to install and configure connectors to centralized exchanges (CEX) and a decentralized exchange (Gate-Dex). It explicitly mentions Local CEX (stdio) with API keys, Remote Exchange (Gate OAuth2), Gate-Dex with x-api-key + Bearer headers, and "Wallet + OAuth guidance" for web3.gate.com. The installer writes API keys (the DEX x-api-key) into the MCP config and configures OAuth for exchange access — i.e., it provisions credentials and endpoints that enable placing orders, signing transactions, and managing wallets on exchanges/DEX. This is not a generic tool installer; its primary function is to enable direct financial/exchange integrations. Therefore it grants direct financial execution capability.