Skills
skills/gate/gate-skills/gate-mcp-openclaw-installer/Snyk

gate-mcp-openclaw-installer

Fail

Audited by Snyk on Apr 2, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 0.80). The skill includes a literal API key value in examples and explicitly mentions prompting for Gate API credentials and bearer tokens (e.g., GATE_API_KEY/GATE_API_SECRET and ${GATE_MCP_TOKEN}), which can require the agent to receive or reproduce secret values verbatim, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The skill's required workflow (SKILL.md and scripts/install.sh) configures and instructs the agent to call remote public MCP endpoints (e.g., https://api.gatemcp.ai/mcp/news, https://api.gatemcp.ai/mcp/info, and other api.gatemcp.ai endpoints via mcporter calls like "mcporter call gate-news.list_news" and "mcporter call gate-info.list_tickers"), so the agent will fetch and interpret untrusted/public third‑party content (news/info) that can influence subsequent tool actions and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The installer config registers a required 'gate' stdio server with the command "npx -y gate-mcp", which at runtime fetches and executes remote code from the npm registry (i.e., remote package installation/execution), so external content is executed and relied upon.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I inspected the document for literal, usable credentials. The entry x-api-key MCP_AK_8W2N7Q is a concrete, non-placeholder token value presented as an API key for the DEX endpoint (paired with an Authorization bearer token). Although relatively short, it is a specific literal that could be a hardcoded API key and therefore should be treated as a secret.

I did not flag other items:

  • GATE_API_KEY / GATE_API_SECRET and ${GATE_MCP_TOKEN} are environment variable names/placeholders (no literal secrets provided).
  • Links, instructions for creating keys, and commands (mcporter auth, npm install, etc.) are documentation/operational guidance.
  • No RSA/PEM blocks or other high-entropy keys were present.

Thus the only direct, literal credential-like value present is MCP_AK_8W2N7Q.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to install and manage Gate exchange MCP servers (CEX and DEX) and includes concrete endpoints and auth flows for exchange operations. It references local CEX trading and DEX wallet access, instructs obtaining API keys with Read/Trade/Withdraw permissions, and documents OAuth2/x-api-key/Bearer auth for exchange and dex endpoints. These are specific crypto/exchange integration capabilities (wallets, exchange APIs, trading/withdraw permissions and auth), not generic tooling — therefore it enables direct financial execution.

Issues (5)

W007
HIGH

Insecure credential handling detected in skill instructions.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 12:22 AM
Issues
5