Gate Exchange LaunchPool Skill
v1.0.1Gate LaunchPool staking and airdrop skill. Use when the user asks to browse LaunchPool, stake or redeem, or check airdrop rewards. Triggers on 'LaunchPool',...
⭐ 0· 94·0 current·0 all-time
byGate@gate-exchange
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (Gate LaunchPool staking, airdrops, browse/stake/redeem/records) align with the documented MCP tools and workflows. All declared MCP tool calls (list projects, create order, redeem, pledge/reward records) are coherent with the stated capabilities.
Instruction Scope
SKILL.md contains detailed, narrow runtime instructions that stay within LaunchPool functionality: intent resolution, parameter parsing, specific MCP tool calls, preview-confirm UX for write ops, and clear pagination/timestamp rules. It does reference an external runtime rules file on GitHub (gate-runtime-rules.md) and several included reference docs, but it does not instruct reading arbitrary local files or exfiltrating data outside the Gate MCP endpoints.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — minimal disk/exec footprint. This reduces installation risk.
Credentials
SKILL.md explicitly states "API Key Required: Yes" and that write operations need Launch:Write permissions, but the registry metadata lists no required environment variables or primary credential. That mismatch should be resolved: stake/redeem operations legitimately require a Gate API key (scoped to necessary permissions), but the skill metadata does not declare how credentials are provided. Verify how your agent/MCP connector supplies and scopes the API key before enabling write operations.
Persistence & Privilege
No 'always: true'. The skill does not ask to modify other skills or agent-wide settings. Autonomous invocation is allowed (default) but that's expected; the skill requires explicit user confirmation before any write (stake/redeem) per its own SOP.
Assessment
This skill appears to do what it claims (project browsing, stake, redeem, and record queries) and is instruction-only (no code to run locally), which keeps the attack surface small. Before installing or enabling write actions, confirm these points: 1) Credential handling — the SKILL.md requires a Gate API key with Launch:Write permissions, but the registry metadata lists no required env var; check how your agent/MCP connector will store and scope that API key (prefer least privilege and short-lived keys if possible). 2) Confirm the MCP server endpoint(s) and trustworthiness of the MCP integration (the skill will call Gate MCP tools to perform actions). 3) The skill reads an external runtime rules file on GitHub; review that file if you want to audit additional runtime constraints. 4) The skill enforces a preview→confirm flow for writes — do not bypass confirmation. If you need higher assurance, request the publisher/repo provenance or require the skill to declare its credential input mechanism explicitly (e.g., primaryEnv) before enabling it.Like a lobster shell, security has layers — review code before you run it.
latestvk97dxf5e5bk4wjee3tx37dwcw9842sj8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.