ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gate Exchange Alpha

v1.0.1

Gate Alpha token market skill. Use when the user specifically asks to browse, trade, or check Alpha market tokens. Triggers on 'alpha tokens', 'alpha market'...

0· 89·0 current·0 all-time
byGate@gate-exchange
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md describes both read and write trading flows (quote -> place order -> poll order) and explicitly states an API key with Alpha:Write permission is required. However, the registry metadata declares no required env vars or primary credential. That discrepancy means the skill's declared requirements do not match what it actually needs to operate.
Instruction Scope
The runtime instructions are narrowly scoped to MCP tools for Gate Alpha (listing exactly which read and write tools to call) and include safety rules (explicit confirmation before placing orders, quote expiry handling). The SKILL.md references an external runtime rules doc on GitHub, but there are no instructions to read unrelated local files or transmit data to unknown endpoints.
Install Mechanism
This is an instruction-only skill (no install spec, no code files). No downloads or archive extraction are involved, which reduces installation risk.
!
Credentials
The skill requires access to account-level operations (placing orders, viewing balances, transaction history) per its MCP auth section, but the registry metadata does not declare any credential or primaryEnv. Requiring Alpha:Write is proportionate to trading functionality, but it should be declared where the agent expects credentials — the omission is a misalignment that could lead to unexpected permission prompts or silent failures.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill does not request persistent system-wide privileges or modify other skills' configurations. It does describe polling behavior for order tracking, which is expected for trading workflows.
Scan Findings in Context
[no_regex_findings] expected: The static scanner found no regex matches — expected because this is an instruction-only skill with no code files. Absence of findings is not proof of safety; the SKILL.md itself contains the operational surface that must be reviewed.
What to consider before installing
Before installing, verify how the agent will supply your Gate API key: SKILL.md clearly requires an API key with Alpha:Write (to place orders), but the registry entry lists no required credentials. Ask the publisher (or the registry) where and how the API key is expected to be provided (agent vault, environment variable, or MCP config). Treat the skill as able to place and cancel real trades — test in read-only mode first (use market-viewing/token-discovery only) and confirm the skill cannot perform writes until you explicitly authorize it. Also confirm the skill's origin: the README points to a Gate.com repo but the published source is 'unknown' and no homepage is provided — prefer skills with verifiable repository or publisher. If you proceed, restrict the API key permissions (least privilege), monitor the first few actions, and ensure the agent prompts you for explicit confirmation before any quote is executed into a place_order call.

Like a lobster shell, security has layers — review code before you run it.

latestvk973hsrz6n5m776k1b18qsgddd8437ga

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments