gate-exchange-earn

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's setup.sh will, at runtime, call the GitHub API (https://api.github.com/repos/gate/gate-cli/releases/latest) and download/install a release binary from the GitHub releases URL (https://github.com/gate/gate-cli/releases/download/${VERSION}/...), which fetches and installs/executes remote code that the skill requires.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes exchange write commands that perform financial actions (crypto earn subscribe/redeem, fixed product creation, dual-place orders, staking swaps) via gate-cli: e.g. gate-cli cex earn uni lend, gate-cli cex earn uni change, gate-cli cex earn fixed create, gate-cli cex earn dual place, gate-cli cex earn staking swap. It requires API key/secret authentication and describes preflight balance checks and an Action Draft → explicit "Y" confirmation flow before executing these writes. Because the tool is specifically designed to move crypto assets on an exchange (not a generic CLI or HTTP caller), it grants direct financial execution authority.