ClawHub

Gate DEX Market

Security checks across malware telemetry and agentic risk

Overview

The skill is mainly a Gate DEX market-data router, but it also introduces persistent credentials, mutable remote instructions, installer-side agent routing changes, and broad signed API access that should be reviewed before installation.

Install only if you trust Gate's remote runtime rules and are comfortable with persistent local Gate API credentials. Review or avoid OpenAPI mode unless you can use a dedicated low-privilege key, and inspect the helper or constrain allowed actions before relying on the read-only claim. Back up any existing CLAUDE.md before running install.sh.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a read-only market-data router, but the referenced behavior includes generic OpenAPI invocation, trade-related actions, credential-based HMAC signing, and even embedded default API credentials. That mismatch can cause an agent to route into privileged or transaction-capable paths under the guise of safe read-only usage, materially increasing the risk of unauthorized trading, credential misuse, or data exfiltration.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README states the skill can automatically check a remote GitHub repository for updates at session start or installation, which goes beyond a read-only market-data purpose and introduces behavior that fetches and trusts remote content. Even if framed as non-disruptive, this expands the attack surface to supply-chain manipulation, unexpected network egress, and scope drift from the declared skill function.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The README advertises security-audit capabilities despite the skill metadata describing a read-only market-data skill. This mismatch can cause an agent or user to rely on the skill for security judgments it may not be authorized or designed to perform, creating unsafe trust and scope expansion.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The README describes an OpenAPI mode using AK/SK credentials, which is inconsistent with a read-only market-data skill and increases sensitivity by involving secrets management. Introducing credential-based operation where not clearly needed raises the risk of credential exposure, misuse, and privilege creep.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Advertising risk check and honeypot detection expands the skill from market-data retrieval into security analysis without clear justification in the declared purpose. In a security-sensitive context, users may overtrust these outputs, and the undocumented scope expansion can mask additional data collection or unsupported decision-making behavior.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The installer-generated CLAUDE.md routes wallet authentication and OpenAPI AK/SK usage from the broader Gate DEX skill set, even though this specific skill is documented as read-only and explicitly says not to use it for wallet auth. That mismatch can mislead an agent or user into invoking higher-risk credentialed or authenticated workflows from a market-data installation path, expanding trust and privilege boundaries beyond the declared scope.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill metadata and description constrain this skill to read-only market data, but the MCP documentation also exposes swap-token discovery and cross-chain bridge token listing workflows. Even though these calls are nominally read-only, they expand the operational scope into trading preparation and can cause an agent to select this skill for actions adjacent to swaps or bridging, violating least-privilege boundaries and increasing the chance of unsafe tool routing.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file explicitly says not to use this skill for swaps, yet it documents swap-oriented tooling and a 'Trading Preparation' workflow that instructs the agent to search tradeable tokens and perform security checks before trading. This contradiction is dangerous because agents often follow the most concrete procedural instructions available; the embedded workflow can override the higher-level restriction in practice and lead to inappropriate skill invocation for trading-adjacent tasks.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is labeled as read-only market data, yet it instructs the agent to create persistent credentials in the user's home directory and includes hard-coded API secrets. This expands the capability from passive querying into credential bootstrapping and secret distribution, which is unnecessary for a read-only documentation file and creates a clear path for unauthorized external API use and hidden persistence.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The documentation directs the agent to write authentication material to ~/.gate-dex-openapi/config.json outside the workspace, establishing persistent state without meaningful upfront consent. Persisting secrets in a hidden location is dangerous because it can outlive the session, surprise the user, and be reused by later tasks or tools without renewed authorization.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
A market-data-only skill should not manage API key rotation or replacement unless authentication is an explicit, user-approved feature. Adding AK/SK update workflows broadens the skill into credential administration, increasing the chance of secret handling errors, exfiltration, or misuse beyond the advertised read-only scope.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file claims secure handling rules for the secret key while directly embedding the full secret in the documentation. This is a direct secret exposure: anyone with access to the skill file can recover and use the credential, making the masking guidance meaningless.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The shared instructions tell a supposedly read-only market-data skill to create and populate a persistent credential file in the user's home directory, which expands its behavior beyond simple data retrieval. Hardcoding default API credentials and writing them to disk creates unauthorized secret handling and persistent state, increasing the chance of credential leakage, misuse, or later abuse by other processes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The credential-management section gives the skill authority to display, update, and verify API credentials even though the skill is described as read-only market data only. This unnecessary capability broadens the trust boundary and could lead to secret exposure, unwanted account reconfiguration, or social engineering around credential collection.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This wrapper is packaged as a read-only market-data skill, but its interface accepts any arbitrary action string and the examples explicitly include trade actions such as "trade.swap.chain" and "trade.swap.quote." In the context of an agent skill, this creates a dangerous capability mismatch: a caller expecting harmless price queries can invoke authenticated trading-related endpoints through the same executable path.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code loads API credentials, computes HMAC signatures, and attaches authenticated headers for every request, even though the skill is described as read-only market data. In this context, authenticated request capability is unnecessary for simple public data retrieval and materially increases risk by enabling privileged or state-changing operations if the action is abused.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The function forwards the caller-provided action and params directly into the signed request body without validating that they are limited to prices, K-lines, rankings, holders, or liquidity queries. Because the skill context promises read-only behavior, this unrestricted passthrough makes the mismatch more dangerous: an LLM or upstream caller can access broader DEX functionality than users and orchestrators expect.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring states that the LLM only needs to provide action and params, which normalizes arbitrary action selection by the model and hides the fact that those actions may be trade-capable. In a read-only skill, this design encourages unsafe use and increases the chance that orchestration layers will treat the tool as lower risk than it really is.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger keywords are broad phrases like 'quotes', 'price trends', and 'risk check', which can cause accidental activation from ordinary conversation. Overbroad activation boundaries increase the chance the wrong skill is invoked, leading to unintended network calls, misrouting, or execution of functionality outside the user's intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script unconditionally writes CLAUDE.md using shell redirection, which will overwrite any existing file in the current directory without prompting or backup. If run in a repository or workspace that already relies on CLAUDE.md for agent policy or safety constraints, this can silently replace those instructions and change agent behavior in a security-relevant way.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs automatic writes of sensitive material to a hidden file outside the workspace before obtaining informed user approval. This is dangerous because it bypasses normal expectations about scope and storage, and can leave persistent secrets on disk that the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The API specification sends wallet addresses, token addresses, and query metadata to an external Gate endpoint but does not clearly warn users about this disclosure. For blockchain analytics, wallet addresses can still be sensitive identifiers, so omission of a privacy notice can mislead users about where their data is being sent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file instructs storing API keys and secret keys on disk under a predictable path without an explicit warning about the security implications of persisting sensitive secrets locally. Even with restrictive file permissions, this creates durable secret material that may be exposed through backups, misconfiguration, malware, or other local users and tools.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The executable path sends user/model-supplied action and params to a remote API without any built-in user-facing disclosure, approval gate, or logging about what operation is being performed. In a skill that is supposed to be read-only but is actually capable of authenticated DEX actions, silent network transmission increases the chance of unintended sensitive operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script automatically reads API credentials from a user config file and falls back to embedded defaults without any visible notice to the caller. In a read-only market-data skill, undisclosed credential access is risky because it silently upgrades the tool from public-data retrieval to authenticated API usage, which may surprise users and platform operators.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal