gate-exchange-collateralloan
Warn
Audited by Snyk on Apr 26, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's setup.sh fetches and installs the gate-cli binary at runtime from GitHub (it queries https://api.github.com/repos/gate/gate-cli/releases/latest and downloads from https://github.com/gate/gate-cli/releases/download/.../), which clearly fetches remote executable code that the skill requires and will run, so this is a runtime external dependency that executes remote code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly for managing crypto loans on the Gate exchange and includes authenticated, write-capable commands that create loans, repay loans, and adjust collateral (e.g.,
gate-cli cex mcl create,gate-cli cex mcl repay,gate-cli cex mcl collateral). It requires API keys/permissions and is specifically designed to move or modify user funds/positions on an exchange (multi-collateral loan operations). This meets the "Direct Financial Execution" criteria.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata