Gate CrossEx Cross-Exchange Trading

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed trading skill, but it grants broad financial read/write authority and relies on broad routing plus mutable external runtime instructions.

Install only if you intentionally want an agent connected to Gate MCP to manage real CrossEx trading activity. Use a least-privilege API key if possible, fund only a small test amount first, verify every exchange, symbol, amount, order ID, transfer route, and leverage value before confirming, and be cautious about the remote runtime/update instructions changing after installation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (25)

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The documentation materially understates the skill's claimed scope: it only describes flash convert flows, while the manifest advertises broader cross-exchange trading and position querying across multiple exchanges. This mismatch can cause an agent to invoke the skill in unsupported or insufficiently specified contexts, increasing the chance of incorrect trading actions, missing safeguards, or misleading users about capabilities.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The Gate-focused language and examples conflict with the manifest's claim of simultaneous support across Gate, Binance, OKX, and Bybit. In a trading skill, this inconsistency can mislead the agent into applying Gate-specific assumptions or workflows to other exchanges, producing incorrect execution paths or user guidance.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file expands the skill from the stated cross-exchange trading/position use case into retrieval of sensitive account history and ledger data. This increases data exposure beyond the manifest's declared scope and can cause users or orchestration layers to invoke the skill for broader, privacy-sensitive actions they did not expect.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The content is Gate-specific while the skill metadata advertises cross-exchange behavior across Gate, Binance, OKX, and Bybit. This mismatch can misroute user requests, produce incomplete or misleading results, and weaken trust and control boundaries around which accounts and exchanges are being queried.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documentation extends the skill into margin-specific leverage management and interest-rate workflows that are outside the manifest’s stated cross-exchange trading/position scope. In a trading agent, scope expansion is security-relevant because it can cause the model to invoke higher-risk financial actions the user did not intend, including leverage changes and borrowing-related operations.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documented scenarios describe single-exchange margin trading behavior rather than the manifest’s promised simultaneous cross-exchange operations. This mismatch is dangerous because users and orchestration layers may rely on the manifest for trust and routing, while the actual prompt logic can execute a different, riskier class of trades than expected.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill manifest frames the capability as cross-exchange trading/query, but this document adds cancel and amend workflows that are materially more sensitive because they mutate live orders. That scope expansion can cause the agent to perform destructive trading actions users did not intend to authorize under the advertised capability boundary.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file is framed as spot-trading guidance but includes a cross-exchange arbitrage workflow that instructs the agent to compare prices across venues and place coordinated orders on multiple exchanges. In a trading skill, this scope expansion is dangerous because it can trigger higher-risk multi-leg execution without robust safeguards for simultaneity, transfer availability, settlement differences, or per-exchange confirmation and balance checks, leading to unintended losses or partial execution.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The limit-buy scenario contradicts itself by describing amount-based user inputs while the API requires quantity-based `qty` for limit orders, creating ambiguity in how order size is derived. In a trading context, this can cause the agent to submit an unintended order size or transform a quote-amount request into a coin-quantity order incorrectly, resulting in financial loss or failed orders.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The routing table uses very broad keywords such as "transfer," "positions," and especially "history," which can match ordinary conversation and trigger high-risk trading or account workflows unintentionally. In a skill that can place trades, move funds, and manage positions across multiple exchanges, ambiguous invocation materially increases the chance of accidental order execution or transfer initiation from loosely phrased user input.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The skill declares multiple generic trigger keywords such as broad trading and position phrases, which can cause the agent to activate this high-risk trading skill for ordinary finance-related requests. Because the skill includes write-capable tools for orders, leverage changes, transfers, and position closure, ambiguous routing increases the chance of unintended invocation and downstream sensitive actions.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The manifest description advertises vague trigger phrases like 'Binance order' and 'OKX position', which are common user expressions that may refer to simple informational questions rather than cross-exchange trading intent. In an environment where skill descriptions influence routing, this can cause accidental selection of a skill with account-query and trade-execution capabilities.

Vague Triggers

Low

Confidence: 84% confidence
Finding: Treating 'Help me' as a possible route into this skill creates an activation condition that is far too vague for a capability set that includes transfers and trading mutations. Although the table says to clarify, the mere inclusion of this phrase as a recognized invocation broadens the chance of unsafe routing into a sensitive financial skill.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The prompt examples for order-history invocation are broad enough to match generic user requests without strong context boundaries. In an agent environment, ambiguous triggers can cause unintended access to trading history, exposing sensitive financial information when the user may have meant something more general.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trade-history examples use generic phrases that lack clear invocation boundaries, making accidental triggering more likely. Because trade records are sensitive financial data, overbroad matching can reveal private activity or cause unnecessary API calls against user accounts.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The position-history trigger examples are overly general and may match broad portfolio or market questions. In this context, that can lead to disclosure of historical position data, including realized PnL and close times, which are sensitive account details.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: Account-ledger trigger examples like 'Show account history' and 'Transaction records' are especially ambiguous and overlap with many benign financial-assistant requests. Since ledger data can include deposits, withdrawals, transfers, balances, and notes, accidental invocation can expose highly sensitive account activity.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs the agent to query sensitive trading and account-history data without any privacy notice, consent gate, or data-minimization guidance. In a financial skill, this makes unintended disclosure more dangerous because the returned data may include balances, transfers, and detailed trading behavior.

Vague Triggers

Low

Confidence: 76% confidence
Finding: The leverage-adjustment trigger example is broad enough to match generic user language, increasing the chance that unrelated requests are interpreted as authorization to modify leverage. In a financial context, even accidental leverage changes are meaningful because they alter liquidation risk for an existing position.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The interest-query examples include very broad phrases such as generic 'borrowing interest rate' and 'margin interest,' which can cause unintended activation in unrelated financial conversations. In this skill context, ambiguous triggers are more dangerous because they may pivot the agent into margin-borrowing workflows adjacent to leveraged trading, exposing users to higher-risk functionality unexpectedly.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Broad trigger phrases like 'Show my orders' or 'list orders' are common conversational language and can cause accidental skill invocation in unrelated contexts. In a trading skill, unintended activation can expose sensitive account data or start a workflow that leads users toward consequential financial actions.

Vague Triggers

Low

Confidence: 80% confidence
Finding: The phrase 'Cancel that buy order' is ambiguous because it depends on conversational context and may map to the wrong live order if multiple candidates exist. In an order-management setting, ambiguity around destructive actions raises the risk of unauthorized or mistaken cancellation of active trades.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Vague amend-order prompts like 'Modify order price' do not clearly require an order ID, exchange, or the full set of new parameters, increasing the chance that the assistant infers missing details incorrectly. For financial operations, underspecified mutation requests can alter the wrong order or produce unexpected trade exposure.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger examples for querying all positions include very broad phrases such as 'positions' and 'Show my positions', which can easily overlap with ordinary conversation and cause unintended activation of this trading skill. In a finance context, over-broad routing is risky because it may prompt account-sensitive queries across exchanges without sufficiently confirming user intent or requested scope.

Vague Triggers

Low

Confidence: 88% confidence
Finding: The history-query triggers are underspecified, using generic phrases like 'position history' without constraints on account, exchange, symbol, or time range. This can cause the skill to activate on ambiguous requests and retrieve broader historical trading data than the user intended, increasing privacy and data-minimization risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal