Gate MCP (OpenClaw / mcporter)
WarnAudited by ClawScan on May 10, 2026.
Overview
This mostly looks like a Gate MCP installer, but it asks the agent to obey unreviewed remote rules, depends on a missing install manifest, and can handle high-impact exchange credentials.
Review this skill before installing. Do not proceed unless the remote runtime rules and missing server manifest are supplied or pinned to reviewed versions. If you use it, run the installer manually, verify every mcporter server it adds, and use read-only Gate credentials unless you intentionally want trading access; do not grant withdrawal permission unless absolutely necessary.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could follow instructions that were not reviewed in this package.
The skill tells the agent to fetch a mutable external instruction file and treat it as highest-priority runtime rules before proceeding. That remote text is not included in the reviewed artifacts and could change tool limits, workflow, or stopping conditions.
STOP — You MUST read and strictly follow the shared runtime rules before proceeding... These rules have the highest priority. → Read [gate-runtime-rules.md](https://github.com/gate/gate-skills/blob/master/skills/gate-runtime-rules.md)
Do not let remote rule files override the packaged skill. Vendor the rules into the package or pin them to a reviewed immutable commit, and keep system/developer/user instructions higher priority.
The installer may fail, or if a separate manifest is supplied, it could configure commands or remote servers that were not visible in the reviewed package.
The installer depends on a server manifest that is not present in the supplied file manifest, and that manifest drives the server names, endpoints, and stdio command strings used by mcporter.
MANIFEST="$SCRIPT_DIR/mcp-fragments/openclaw/servers.manifest" ... done < "$MANIFEST" ... mcporter config add "$name" --stdio --command "$cmd"
Include the manifest in the distributed package, validate and document each configured server, and pin expected commands/endpoints instead of relying on an unreviewed external file.
If broad API keys or OAuth grants are used, future MCP tools or agents could access private account data or perform financial actions through the configured Gate services.
The skill can lead users to create and persist Gate exchange credentials, including possible trading or withdrawal permissions. That is high-impact financial account authority and is broader than a simple public-data installer.
Create API key with permissions as needed (Read / Trade / Withdraw). ... The installer stores credentials in mcporter config where applicable.
Use least-privileged, preferably read-only keys unless trading is explicitly intended; avoid withdrawal permission, review mcporter config after install, and revoke unused API keys or OAuth grants.