The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The installer script scripts/install.sh and documentation in README.md and SKILL.md contain a hardcoded API key MCP_AK_8W2N7Q for the DEX MCP server. While this may be a public-facing key for a proxy service, hardcoding credentials in instructions and scripts is a poor security practice.\n- [REMOTE_CODE_EXECUTION]: The skill configures the MCP environment to run npx -y gate-mcp. This command fetches and executes code from the public npm registry at runtime, creating a dependency on the external package's integrity.\n- [COMMAND_EXECUTION]: The scripts/install.sh script performs shell command execution to interface with the mcporter CLI tool. It handles user-provided API keys and secrets as environment variables during the configuration process.\n- [EXTERNAL_DOWNLOADS]: The skill directs the agent to fetch and adhere to rules hosted at an external URL (https://github.com/gate/gate-skills/blob/master/skills/gate-runtime-rules.md). Although the source is linked to the vendor, such external dependencies for agent instructions can be a vector for indirect prompt injection.\n- [PROMPT_INJECTION]: The SKILL.md file uses high-pressure language ('⚠️ STOP', 'MUST read', 'highest priority') to attempt to override standard agent behavior and strictly enforce specific rules and tool limitations.

gate-mcp-openclaw-installer