Gate Exchange Staking Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for Gate staking, but it needs Review because it can submit financial staking or redemption actions and has conflicting/under-scoped safety instructions.

Install only if you trust the Gate MCP server and are comfortable granting Earn:Write authority. Use the narrowest Gate API key possible, with no withdrawal permission, and verify that every stake, redeem, or mint action shows a clear draft and waits for an immediate explicit confirmation before execution. Prefer a revised version that removes the unpinned remote runtime rule, resolves merge conflicts, and makes confirmation mandatory in every workflow file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (14)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The changelog states the skill has a read-only access implementation, but the same skill metadata and documented workflows clearly include staking, redeeming, and minting actions that can change account state. This kind of misleading security documentation can cause reviewers, integrators, or users to grant the skill more trust or broader deployment than warranted, increasing the chance of unauthorized or insufficiently reviewed transactional use.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The portfolio-value workflow instructs the agent to obtain external prices, which expands the skill beyond its stated purpose of querying staking positions and balances. This can cause unintended tool use, data-flow expansion, or inaccurate valuation behavior if pricing sources are ambiguous or untrusted, especially in a financial context.

Intent-Code Divergence

Medium

Confidence: 78% confidence
Finding: The document says timestamps must not be displayed, but the redemption workflow later suggests using updateStamp for unlock-time output, creating contradictory instructions. In practice this can lead to accidental disclosure or inconsistent handling of internal metadata, and increases the chance the agent exposes fields the skill intended to suppress.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The file expands the skill from staking/mint/redeem actions into order-history and reward-record retrieval, which broadens the data-access surface beyond the manifest's stated purpose. That mismatch can cause the agent to invoke this skill for account-history queries the user did not intend to route through a staking action skill, increasing the risk of unnecessary exposure of sensitive financial records.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The unresolved merge-conflict markers indicate the file is in a broken, ambiguous state, and the two branches give contradictory handling for timestamps. In an agent skill, such ambiguity can lead to unpredictable behavior, including exposing fields that were supposed to be suppressed or causing the model to follow inconsistent instructions when formatting potentially sensitive activity metadata.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The APY verification workflow instructs the agent to call an additional positions tool, extending the skill into cross-function portfolio analysis not described in the manifest. This creates scope creep and can lead to collection of more account data than necessary for the user's original staking request, violating least privilege and increasing the consequences of misrouting or prompt-trigger abuse.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list for execution-capable intents includes broad everyday phrases such as "redeem" and "help me mint," which can cause the staking skill to activate in contexts where the user did not clearly intend a financial operation workflow. In a skill that can lead to write actions, overbroad routing increases the chance of unintended escalation from conversation into transaction preparation.

Vague Triggers

Medium

Confidence: 75% confidence
Finding: Overly broad trigger phrases like general balance or staking-related requests can cause the skill to activate for ambiguous user utterances that may not clearly request this specific operation. In a financial skill, mistaken invocation can lead to unnecessary account-data retrieval, confusing responses, or execution of workflows outside the user's precise intent.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: Trigger examples for portfolio value are generic enough to overlap with broader financial questions, increasing the risk that this staking skill handles requests that should be routed elsewhere. Because the workflow also introduces price retrieval, ambiguous activation can broaden data access and produce misleading or unintended valuation outputs.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guidance encourages recommending staking products based on APR, flexibility, or availability without requiring any user-facing warning about principal risk, protocol risk, lock-up duration, redemption delays, or variable yields. In a financial skill, this can steer users toward unsuitable products or create a misleading impression that products are comparable only by yield, which is materially risky even if no direct transaction is executed from this file.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The sold-out fallback tells the agent to suggest substitute products sorted by APR, but it does not require warning that the alternatives may have different lock periods, liquidity constraints, asset exposure, or DeFi risk characteristics. This is dangerous because a user seeking one unavailable product may be nudged into a materially different and riskier product without clear disclosure of those differences.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: Examples like "Transaction history" are broad enough to match generic account-history requests, not just staking-related activity. This can cause the skill to activate outside its intended domain and surface staking records in response to ambiguous prompts, creating data minimization and routing-control issues.

Vague Triggers

Medium

Confidence: 85% confidence
Finding: Reward-side examples such as "My earnings history" and "Reward calculation" are overly generic and can overlap with unrelated earnings, PnL, or portfolio analytics requests. That ambiguity increases the chance of unintended invocation and disclosure of staking reward records when the user meant a different financial context.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill allows stake/redeem submission after only an optional confirmation in some paths, while other paths merely proceed once parameters are resolved. Because these are financial transactions that move assets on-chain or into earn products, inconsistent confirmation behavior can lead to accidental irreversible submissions from ambiguous or overly broad user requests.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal