Skills
skills/gate/gate-skills/gate-mcp-claude-installer/Snyk

gate-mcp-claude-installer

Fail

Audited by Snyk on Apr 2, 2026

Risk Level: HIGH
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The installer (scripts/install.sh) explicitly clones the public GitHub repo https://github.com/gate/gate-skills and copies those skills into ~/.claude/skills (and configures remote public MCP endpoints like https://api.gatemcp.ai/mcp and /mcp/news), which causes the agent to ingest and later load untrusted third‑party content that can change tool behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The install script performs a runtime git clone of https://github.com/gate/gate-skills.git (and by default configures/uses npx -y gate-mcp which fetches/executes the gate-mcp npm package), pulling and installing remote skill code into ~/.claude/skills that can directly control agent prompts/tool behavior, so this is a high-confidence runtime external dependency that executes/controls code.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

  • Secret detected (high risk: 1.00). I scanned the full skill prompt for literal, high-entropy values that would grant access.

Flagged: "MCP_AK_8W2N7Q" appears twice as a fixed x-api-key for Gate-Dex and is described as "fixed" and "written to the config." This is a concrete, specific API key value (not a placeholder or environment variable name) and therefore a hardcoded credential.

Ignored items:

  • Environment variable names (GATE_API_KEY, GATE_API_SECRET, GATE_MCP_TOKEN) — these are names only, not values.
  • The Authorization header shown as "Bearer ${GATE_MCP_TOKEN}" is a template/reference, not a literal token.
  • No RSA/PEM blocks, no obvious high-entropy API keys aside from MCP_AK_8W2N7Q, and no low-entropy example passwords to consider.

Conclusion: the single literal API key MCP_AK_8W2N7Q is a real hardcoded credential present in the document.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The installer explicitly configures connections to centralized exchange (CEX) and DEX MCPs and directs users to set API keys/OAuth for trading and wallets. It references a Local CEX with optional API keys for trading, a Remote Exchange mode that requires OAuth2 with scopes including "trade", "wallet", and "account", and Gate-Dex/web3 wallet binding. These are specific, financial-operation interfaces (market orders and crypto wallet access), not generic tooling — therefore the skill enables direct financial execution capabilities.

Issues (4)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W008
HIGH

Secret detected in skill content (API keys, tokens, passwords).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 12:22 AM
Issues
4