gate-mcp-installer
Audited by Snyk on Apr 25, 2026
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 0.80). The skill references and sometimes requires passing real API keys/tokens (prompts for GATE_API_KEY, uses mcp_token as an authorization tool argument) and even embeds a literal API key (MCP_AK_8W2N7Q), meaning the agent may need to accept and forward secret values verbatim in commands/tool calls, creating an exfiltration risk.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The installer explicitly fetches public third‑party content (git clone of https://github.com/gate/gate-skills in scripts/install.sh) and registers/uses remote HTTP MCP endpoints (e.g., https://api.gatemcp.ai/mcp/news, https://api.gatemcp.ai/mcp/dex/sec and http://dev.halftrust.xyz/pay-mcp-server/mcp in mcp-fragments and openclaw/servers.manifest) which SKILL.md and references/mcp.md show the agent is expected to call (e.g., mcporter call gate-news.list_news, tx_checkin), so untrusted external responses could influence tool calls and subsequent behavior.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The installer script runs git clone during runtime to fetch remote code from https://github.com/gate/gate-skills.git (unless --no-skills) which installs skill code that the client will load and can control prompts/execute code, so this is a runtime external dependency that introduces direct code/control risk.
HIGH W008: Secret detected in skill content (API keys, tokens, passwords).
- Secret detected (high risk: 1.00). I scanned the entire skill prompt for literal high-entropy credentials. The only direct literal that looks like a usable credential is the fixed x-api-key value "MCP_AK_8W2N7Q" (documented as the Dex fixed x-api-key). That is a concrete header value present in the doc and could be used as an API key.
I ignored the following because they are placeholders, environment variable names, or non-secret URIs:
- GATE_API_KEY, GATE_API_SECRET, ${GATE_MCP_TOKEN}, PLUGIN_WALLET_TOKEN, EVM_PRIVATE_KEY, SVM_PRIVATE_KEY — these are variable names/placeholders, no literal secrets provided.
- URLs such as https://api.gatemcp.ai/... and https://web3.gate.com/ — not secrets.
- No PEM blocks, long bearer tokens, or other high-entropy strings were present.
Note: "MCP_AK_8W2N7Q" is relatively short but is documented as a fixed x-api-key for the Dex service; because it is a literal usable key in the documentation, I flag it.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly for installing and wiring financial MCP services: it installs CEX and DEX MCPs (gate, gate-cex-*, gate-dex), includes Gate Pay components (gatepay-local-mcp and merchant discovery), and wires wallet-related tools (gate-dex-wallet, Gate Verify / tx_checkin). It references wallet private keys (EVM_PRIVATE_KEY, SVM_PRIVATE_KEY), mcp tokens for authorization, wallet signing flows, dex trading surfaces (gate-dex, gate-dex-trade), and commands like list_spot_accounts / list_balances. These are specific integrations for payment/crypto/exchange operations (wallet signing, payments, market balances/trading), not generic tooling. Therefore it grants direct financial execution capability.
Issues (5)
Insecure credential handling detected in skill instructions.
Third-party content exposure detected (indirect prompt injection risk).
Unverifiable external dependency detected (runtime URL that controls agent).
Secret detected in skill content (API keys, tokens, passwords).
Direct money access capability detected (payment gateways, crypto, banking).