Gate Claude Code One-Click Installer (MCP + Skills)

Security checks across malware telemetry and agentic risk

Overview

This Gate MCP installer is not proven malicious, but it makes broad persistent changes to Claude configuration and installed skills for crypto/account tooling without enough scoping or confirmation.

Install only if you intend to add Gate MCP services to your user-level Claude setup. Prefer selecting only the specific MCPs you need, review the exact ~/.claude.json and ~/.claude/skills changes first, back up existing skills, and do not place real exchange API keys or bearer tokens into shared files or chat.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The installer performs `npm install -g npx`, which modifies the user's global Node.js environment rather than limiting itself to Claude Code configuration. Global package installation expands the script's privilege and supply-chain risk surface, and can unexpectedly alter other workflows on the machine.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: By default, the script clones the entire `gate-skills` repository and installs every skill, which exceeds a narrowly scoped installer for Gate MCP tooling. This broad default increases supply-chain and capability risk because users receive more code and prompts than they explicitly requested.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The installer directs modification of ~/.claude.json and copying skills into ~/.claude/skills/, but it does not present a prominent up-front warning that it will persistently change the user's local Claude configuration and home-directory contents. This can lead users to authorize durable changes without informed consent, increasing the risk of unwanted tool activation or trust in subsequently loaded skills.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill mentions optional API keys, OAuth2 login, and bearer-token-based authorization, but it frames them as configuration details rather than a clear risk/consent warning about enabling account-linked access and possible trading/account operations. Because some endpoints provide private account and trade capabilities, insufficient warning can cause users to connect sensitive accounts without understanding the privilege level.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script unconditionally removes existing skill directories under `~/.claude/skills` before copying new content, with no confirmation or backup. This can destroy user-customized skills or replace previously trusted content silently, which is especially risky in an installer context.

Natural-Language Policy Violations

Medium

Confidence: 93% confidence
Finding: The configuration embeds credential-shaped environment variable entries directly in the installer fragment, even though they are placeholders. In an installation context, this encourages users to edit secrets into a checked-in config file or copy sensitive values into insecure locations, which can lead to accidental disclosure through source control, shell history, backups, or shared project files.

External Transmission

Medium

Category: Data Exfiltration
Content: | MCP | **Gate** (Local CEX, `main`) | stdio `npx -y gate-mcp`, env `GATE_API_KEY` / `GATE_API_SECRET` — [gate-mcp](https://github.com/gate/gate-mcp) | | MCP | **gate-cex-pub** (`cex-public`) | `https://api.gatemcp.ai/mcp`, HTTP, `type`+`url` only (no headers), no auth | | MCP | **gate-cex-ex** (`cex-exchange`) | `https://api.gatemcp.ai/mcp/exchange`, HTTP, `type`+`url` only; Gate OAuth2 on first use | | MCP | **Gate-Dex** (`dex`) | `https://api.gatemcp.ai/mcp/dex`, fixed `x-api-key` + `Authorization: Bearer ${GATE_MCP_TOKEN}` | | MCP | **Gate-Info** (`info`) | `https://api.gatemcp.ai/mcp/info` | | MCP | **Gate-News** (`news`) | `https://api.gatemcp.ai/mcp/news` | | Skills | gate-skills | https://github.com/gate/gate-skills (installs all under `skills/`) |
Confidence: 93% confidence
Finding: https://api.gatemcp.ai/

Session Persistence

Medium

Category: Rogue Agent
Content: - If the user does not specify which MCPs → install all: `main`, `cex-public`, `cex-exchange`, `dex`, `info`, `news`. - If the user specifies "only install xxx" → install only the specified MCPs. ### 2. Write Claude Code MCP Config - User-level config: `~/.claude.json` (Windows: `%USERPROFILE%\.claude.json`). If using directory format, use the corresponding config under `~/.claude/`. - If it already exists, **merge** into the existing `mcpServers`; do not overwrite other MCPs.
Confidence: 94% confidence
Finding: Write Claude Code MCP Config - User-level config: `~/.claude.json` (Windows: `%USERPROFILE%\.claude.json`). If using directory format, use the corresponding config under `~/.claude/`. - If it already

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal