gate-exchange-newcoin

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly mandates running gate-cli news commands (e.g., gate-cli news feed get-exchange-announcements, gate-cli news feed search-news, gate-cli news feed get-social-sentiment) per SKILL.md and references/gate-cli.md and uses those public/news/social feeds as required inputs in the read-phase and Action Draft that directly influence whether and how orders are placed, so it clearly ingests untrusted third‑party (public/social) content that can change agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The bundled setup.sh is invoked at runtime when gate-cli is missing and it downloads and installs executables from GitHub (e.g. https://api.github.com/repos/gate/gate-cli/releases/latest and https://github.com/gate/gate-cli/releases/download/.../${ARCHIVE}), which fetches and installs remote code that will be executed on the host.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes write-capable exchange commands and a controlled execution workflow: it documents and requires gate-cli cex spot order buy / gate-cli cex spot order sell and gate-cli cex alpha order place for S5 (first-order execution). Authentication instructions reference API keys (GATE_API_KEY / GATE_API_SECRET) and the skill mandates an Action Draft + explicit user confirmation (Y) before calling those write CLIs. This is a specific, non-generic integration to place market/limit orders on a CEX (crypto trading), i.e., direct financial execution.