Skills
skills/gate/gate-skills/gate-mcp-claude-installer/Gen Agent Trust Hub

gate-mcp-claude-installer

Pass

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFE
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill clones the official gate-skills repository from GitHub (https://github.com/gate/gate-skills.git) and utilizes npx to fetch the gate-mcp package. Both sources are controlled by the skill's vendor and are required for the intended functionality.
  • [COMMAND_EXECUTION]: The installer executes a bash script (install.sh) to coordinate the setup process and a Node.js script (merge-mcp-config.js) to update configuration files. It also attempts to globally install the npx utility if it is not found on the host system.
  • [DATA_EXFILTRATION]: During installation, the script prompts the user to input their GATE_API_KEY and GATE_API_SECRET. These credentials are subsequently stored in the local Claude Code configuration file (~/.claude.json) to enable trading features. This is the standard method for managing secrets within the Claude Code MCP ecosystem.
  • [CREDENTIALS_UNSAFE]: The configuration fragment for the Gate-Dex MCP server contains a hardcoded API key (MCP_AK_8W2N7Q). According to the documentation, this is a fixed identifier used for the public DEX service and does not represent a compromise of private user secrets.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 2, 2026, 12:21 AM