Gate Codex One-Click Installer (MCP + Skills)

Security checks across malware telemetry and agentic risk

Overview

This installer appears to set up Gate integrations as advertised, but it makes broad persistent changes, can store trading credentials, and replaces installed skills from mutable remote content without enough safeguards.

Review before installing. Use specific --mcp selections and --no-skills when possible, back up ~/.codex/config.toml and ~/.codex/skills first, avoid entering trading API keys unless they are tightly scoped, and be aware that the installer can replace existing Gate skill directories and route future Codex MCP use through Gate-hosted services.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill is presented as a simple installer, but its documented behavior expands into credential collection/storage, configuration of multiple remote services, OAuth-enabled exchange access, and use of a hard-coded DEX API key. This mismatch reduces informed user consent and can cause users to install remote capabilities and persist sensitive credentials they did not reasonably expect from the description.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: Embedding a fixed DEX x-api-key into every user's local configuration is unsafe because it distributes a shared secret into untrusted client environments and silently authorizes outbound requests under a common credential. Shared embedded keys are easily extracted, abused, rate-limited, or revoked, and users are not given meaningful control over that trust decision.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer explicitly documents and installs a fixed DEX x-api-key, which means users inherit a bundled credential they did not supply or approve. Embedding shared credentials in an installer is risky because it creates hidden trust, may violate least-privilege expectations, and can expose users to rate-limit abuse, service revocation, or misuse tied to a common key.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill instructs modification of ~/.codex/config.toml and copying skills into the user's Codex directory, but it does not clearly foreground the persistence and security implications of those local changes. Persistent config changes can alter future tool behavior and trust boundaries beyond the current task, especially when they add remote MCP servers and executable integrations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation describes storing API keys, secrets, and auth headers in local configuration without a clear warning about privacy, filesystem exposure, or the risks of plaintext credential persistence. Users may unknowingly place long-lived secrets into config files that could be read by other local processes, backups, or source-control mistakes.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: When the user enters Gate API credentials, the script persists them directly into ~/.codex/config.toml without clearly warning that the secrets will be stored in plaintext on disk. This is dangerous because local compromise, backups, shoulder-surfed support sessions, or permissive file permissions can expose trading credentials that enable account actions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The installer unconditionally removes existing skill directories and replaces them with freshly cloned content, with no prompt, backup, or validation of local modifications. This can destroy user data or trusted local customizations, and in this skill-installation context it also makes it easy to silently replace previously reviewed skills with new remote content.

Natural-Language Policy Violations

High

Confidence: 99% confidence
Finding: The manifest hard-codes an API key value in the x-api-key header, which exposes a credential directly in versioned configuration. Any user with access to the skill or repository can reuse that key to authenticate to the external Gate MCP service, enabling unauthorized access, abuse, or billing/usage impact. The skill context makes this more dangerous because the file is specifically an installer/config fragment intended to be distributed and copied into Codex environments.

External Transmission

Medium

Category: Data Exfiltration
Content: ## CEX MCP modes See [gate-mcp](https://github.com/gate/gate-mcp): **Local** = stdio `gate-mcp` with API keys; **Remote Public** = `https://api.gatemcp.ai/mcp` (no auth); **Remote Exchange** = `https://api.gatemcp.ai/mcp/exchange` (Gate OAuth2). Dex/Info/News are separate endpoints on the same host. ## Resources
Confidence: 73% confidence
Finding: https://api.gatemcp.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: ## CEX MCP modes See [gate-mcp](https://github.com/gate/gate-mcp): **Local** = stdio `gate-mcp` with API keys; **Remote Public** = `https://api.gatemcp.ai/mcp` (no auth); **Remote Exchange** = `https://api.gatemcp.ai/mcp/exchange` (Gate OAuth2). Dex/Info/News are separate endpoints on the same host. ## Resources
Confidence: 73% confidence
Finding: https://api.gatemcp.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: | Type | Name | Endpoint / Config | |------|------|-------------------| | MCP | **Gate** (`main`) | stdio `command = "npx"`, `args = ["-y", "gate-mcp"]`, optional `env` for keys | | MCP | **gate-cex-pub** (`cex-public`) | `url = "https://api.gatemcp.ai/mcp"` | | MCP | **gate-cex-ex** (`cex-exchange`) | `url = "https://api.gatemcp.ai/mcp/exchange"` (OAuth2 in client) | | MCP | **gate-dex** (`dex`) | `https://api.gatemcp.ai/mcp/dex`, `http_headers` x-api-key + Bearer token | | MCP | **gate-info** (`info`) | `https://api.gatemcp.ai/mcp/info` |
Confidence: 76% confidence
Finding: https://api.gatemcp.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: |------|------|-------------------| | MCP | **Gate** (`main`) | stdio `command = "npx"`, `args = ["-y", "gate-mcp"]`, optional `env` for keys | | MCP | **gate-cex-pub** (`cex-public`) | `url = "https://api.gatemcp.ai/mcp"` | | MCP | **gate-cex-ex** (`cex-exchange`) | `url = "https://api.gatemcp.ai/mcp/exchange"` (OAuth2 in client) | | MCP | **gate-dex** (`dex`) | `https://api.gatemcp.ai/mcp/dex`, `http_headers` x-api-key + Bearer token | | MCP | **gate-info** (`info`) | `https://api.gatemcp.ai/mcp/info` | | MCP | **gate-news** (`news`) | `https://api.gatemcp.ai/mcp/news` |
Confidence: 79% confidence
Finding: https://api.gatemcp.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: | MCP | **Gate** (`main`) | stdio `command = "npx"`, `args = ["-y", "gate-mcp"]`, optional `env` for keys | | MCP | **gate-cex-pub** (`cex-public`) | `url = "https://api.gatemcp.ai/mcp"` | | MCP | **gate-cex-ex** (`cex-exchange`) | `url = "https://api.gatemcp.ai/mcp/exchange"` (OAuth2 in client) | | MCP | **gate-dex** (`dex`) | `https://api.gatemcp.ai/mcp/dex`, `http_headers` x-api-key + Bearer token | | MCP | **gate-info** (`info`) | `https://api.gatemcp.ai/mcp/info` | | MCP | **gate-news** (`news`) | `https://api.gatemcp.ai/mcp/news` | | Skills | gate-skills | https://github.com/gate/gate-skills (installs all under `skills/`) |
Confidence: 90% confidence
Finding: https://api.gatemcp.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: | MCP | **gate-cex-pub** (`cex-public`) | `url = "https://api.gatemcp.ai/mcp"` | | MCP | **gate-cex-ex** (`cex-exchange`) | `url = "https://api.gatemcp.ai/mcp/exchange"` (OAuth2 in client) | | MCP | **gate-dex** (`dex`) | `https://api.gatemcp.ai/mcp/dex`, `http_headers` x-api-key + Bearer token | | MCP | **gate-info** (`info`) | `https://api.gatemcp.ai/mcp/info` | | MCP | **gate-news** (`news`) | `https://api.gatemcp.ai/mcp/news` | | Skills | gate-skills | https://github.com/gate/gate-skills (installs all under `skills/`) |
Confidence: 68% confidence
Finding: https://api.gatemcp.ai/

External Transmission

Medium

Category: Data Exfiltration
Content: | MCP | **gate-cex-ex** (`cex-exchange`) | `url = "https://api.gatemcp.ai/mcp/exchange"` (OAuth2 in client) | | MCP | **gate-dex** (`dex`) | `https://api.gatemcp.ai/mcp/dex`, `http_headers` x-api-key + Bearer token | | MCP | **gate-info** (`info`) | `https://api.gatemcp.ai/mcp/info` | | MCP | **gate-news** (`news`) | `https://api.gatemcp.ai/mcp/news` | | Skills | gate-skills | https://github.com/gate/gate-skills (installs all under `skills/`) | ## Behavior Rules
Confidence: 68% confidence
Finding: https://api.gatemcp.ai/

Self-Modification

High

Category: Rogue Agent
Content: ### 2. Write Codex MCP Config - User-level config: `~/.codex/config.toml` (or `$CODEX_HOME/config.toml`). Creates the file and writes `[mcp_servers]` with corresponding tables if it does not exist. - If it already exists, **merge**: only append Gate MCP sections that don't already exist; do not overwrite existing config. - Config details: - **Gate (main)**: stdio, `command` / `args` / optional `env` for `GATE_API_KEY` / `GATE_API_SECRET` - **gate-cex-pub / gate-cex-ex**: `url` as above (no `http_headers` for remote CEX)
Confidence: 89% confidence
Finding: overwrite existing config

Session Persistence

Medium

Category: Rogue Agent
Content: - If the user does not specify which MCPs → install all: `main`, `cex-public`, `cex-exchange`, `dex`, `info`, `news`. - If the user specifies "only install xxx" → install only the specified MCPs. ### 2. Write Codex MCP Config - User-level config: `~/.codex/config.toml` (or `$CODEX_HOME/config.toml`). Creates the file and writes `[mcp_servers]` with corresponding tables if it does not exist. - If it already exists, **merge**: only append Gate MCP sections that don't already exist; do not overwrite existing config.
Confidence: 88% confidence
Finding: Write Codex MCP Config - User-level config: `~/.codex/config.toml` (or `$CODEX_HOME/config.toml`). Creates the file and writes `[mcp_servers]` with corresponding tables if it does not exist. - If it

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal