gate-mcp-codex-installer

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes and requires writing explicit secret values (e.g., the hardcoded DEX x-api-key "MCP_AK_8W2N7Q") and instructs embedding API keys/Bearer tokens or user-provided GATE_API_KEY/GATE_API_SECRET into config/http headers, which forces the LLM to handle and output secrets verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The installer (scripts/install.sh) explicitly clones and copies the public GitHub repo https://github.com/gate/gate-skills (the skills/ directory) into the Codex skills directory, causing the agent to ingest and later load untrusted, user-generated third-party code that can define tools/behavior and materially influence actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installer script runs git clone on https://github.com/gate/gate-skills.git at runtime and copies those remote skill directories into $CODEX_HOME/skills/, which will be loaded/executed by Codex and thus can directly control agent prompts/behavior.

HIGH W008: Secret detected in skill content (API keys, tokens, passwords).

• Secret detected (high risk: 1.00). I scanned the prompt for literal, high-entropy credentials. The only direct, literal credential-like value present is the fixed DEX x-api-key: "MCP_AK_8W2N7Q". It is not a placeholder or obvious low-entropy setup password — it is presented as a fixed API key that will be written into config.toml, which makes it a usable credential. Other items (GATE_API_KEY / GATE_API_SECRET) are only environment variable names/placeholders and contain no values, and thus are ignored per the rules.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to install and configure connectors to centralized exchanges (CEX) and decentralized exchange/info/news endpoints: it defines gate-cex-ex (exchange) with OAuth2, gate-cex-pub, gate-dex (DEX) with API keys/headers, and Gate (main) with optional GATE_API_KEY / GATE_API_SECRET for trading. It also references completing Gate OAuth2 and web3.gate.com for a wallet. These are specific crypto/exchange integrations (wallets, DEX/CEX endpoints, API keys, OAuth2) — not generic tooling — and therefore provide direct financial execution capability.