Gate Exchange Transfer
AdvisoryAudited by VirusTotal on Apr 7, 2026.
Overview
Type: OpenClaw Skill Name: gate-exchange-transfer Version: 1.0.3 The skill is a legitimate utility for performing internal transfers between different account types (spot, margin, futures, etc.) within a single Gate.io user account. It implements strong safety guardrails, including mandatory 'Transfer Drafts', explicit user confirmation requirements, and strict rules against requesting API secrets in chat or performing cross-UID transfers. The logic is transparently documented across SKILL.md, gate-runtime-rules.md, and mcp.md, with no evidence of malicious intent, data exfiltration, or unauthorized command execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A misconfigured or over-privileged API key could expose more account authority than the user intends.
The skill requires authenticated Gate API credentials with wallet write authority, which is expected for transfers but gives the agent delegated ability to move funds if the user confirms.
required_env_vars: GATE_API_KEY, GATE_API_SECRET ... required_permissions: ... Wallet:Write
Use a dedicated least-privilege Gate API key limited to the listed read scopes and the minimum wallet-transfer permission needed; avoid enabling withdrawal permissions if Gate allows separating them.
If the user confirms incorrect transfer details, funds may move to the wrong Gate account type and the transfer may be difficult to undo.
The skill uses a real write-capable MCP tool to execute financial transfers, but the same artifact requires a draft and explicit confirmation before calling it.
cex_wallet_create_transfer | execute account-to-account transfer ... Require explicit confirmation.
Review the source account, destination account, currency, amount, and risk note in the transfer draft before replying with confirmation.
A user must trust the local Gate MCP deployment because it will handle API credentials and submit transfer requests.
The skill itself is instruction-only, but execution depends on a separately installed Gate MCP server that is not included in the skill bundle.
Required MCP Servers ... Gate (main) ... Install: Use the local Gate MCP installation flow for the current host IDE before continuing.
Install the Gate MCP only from the official or trusted source and verify it exposes only the expected Gate tools before using this skill.