gate-mcp-openclaw-installer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a literal API key (MCP_AK_8W2N7Q) and instructs use of an Authorization Bearer token (GATE_MCP_TOKEN), which requires including secret values verbatim in requests/commands, creating exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly for Gate.com MCP servers that perform trading and wallet operations. It lists endpoints and authenticated commands for spot/futures/options trading and DEX operations (e.g., gate.list_spot_accounts, gate-dex.list_balances). The docs mention specific actions like "transfer, swap", require API keys with "Trade" and "Withdraw" permissions, and describe wallet OAuth and stored credentials. These are concrete, specific financial APIs and operations capable of executing trades, transfers, and withdrawals — i.e., direct financial execution.