ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gate Cursor One-Click Installer (MCP + Skills)

v1.0.2

Gate MCP and Gate skills installer for Cursor. Use when the user asks to set up Gate trading or research tools in Cursor. Triggers on 'install Gate MCP Curso...

0· 214·0 current·0 all-time
byGate@gate-exchange
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the delivered artifacts: scripts to write/merge Cursor MCP config and to clone/install gate-skills. Required tools (bash, node, git, npx) and files touched (~/.cursor/mcp.json, ~/.cursor/skills) are reasonable for an installer of this type.
Instruction Scope
SKILL.md and scripts limit actions to config merging and cloning the gate-skills repo. The installer prompts for a Gate API key/secret (only if installing Gate (main)), writes/merges mcp.json, and copies all skills into the user's Cursor skills dir. Note: installing 'all skills' blindly increases your attack surface and the script will replace any existing skills with the same names.
Install Mechanism
No external binary download from untrusted hosts. The script clones https://github.com/gate/gate-skills (standard GitHub), uses local node/npm/git if present, and includes a local JS merge helper. This is proportionate for a repo-based installer.
Credentials
The script only requests Gate API credentials interactively when installing the Gate 'main' MCP (reasonable). It also writes a hard-coded DEX x-api-key value (MCP_AK_8W2N7Q) into the config fragments; that is unusual but explained by the MCP Dex usage. No unrelated service credentials are requested.
Persistence & Privilege
The installer writes to the user's Cursor config and skills directories (expected for an installer). always:false and no platform-global changes are present. Be aware that it will copy an entire remote skills repo into your user profile and may overwrite existing skill directories of the same name.
Assessment
This skill appears to do exactly what it claims (merge MCP servers into Cursor's mcp.json and install the gate-skills repo). Before running: 1) Review the gate-skills GitHub repo yourself — the installer clones and installs every skill there, which expands your attack surface. 2) Backup your existing ~/.cursor/mcp.json and ~/.cursor/skills/ directories so you can revert changes. 3) If you do not trust installing all skills, run the script with --no-skills or inspect the cloned repo prior to copying. 4) Be cautious when entering your Gate API key/secret; the script stores them into the local mcp.json env block. 5) Note the script writes a hard-coded DEX x-api-key (MCP_AK_8W2N7Q) into the config fragments — if you have concerns about that key, inspect/edit the generated mcp.json before using the MCP endpoints. If you want a higher-assurance install, clone the repo yourself, inspect contents, and perform the mcp.json merge manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ey2pj41vf3em0p9rpqmg6b9843hcn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments