ClawHub
Back to skill

Security audit

Gate DEX Trade

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Gate DEX trading skill, but it needs user review because it handles raw wallet keys, persistent credentials, and trading-tool configuration in ways that are broader than its stated scope.

Install only if you are comfortable with an agent-assisted crypto trading workflow. Prefer MCP wallet signing over OpenAPI mode, do not paste raw private keys or let the agent read .env/keystore files, replace any default API credentials with your own if using OpenAPI, and review all files the installer creates or overwrites before using it for real funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (42)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest says the skill does not do read-only lookups or wallet/account management, yet the workflow includes quote/history queries and setup-time authentication handling. This inconsistency can mislead policy engines and users about what data is accessed and what account-related operations occur, weakening trust and review controls.

Intent-Code Divergence

Medium
Confidence
78% confidence
Finding
The documentation claims there is no OpenAPI fallback when MCP fails, but the routing flow still permits explicit OpenAPI mode. This policy contradiction can cause operators or users to assume a stricter execution path than what is actually possible, potentially exposing AK/SK credentials and alternate transaction paths that were thought disabled.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The installer expands the trade skill's routing to include read-only transaction status/history and balance-oriented guidance, which contradicts the stated skill scope of execution-only trading. This can cause overbroad invocation of a transaction-capable skill in contexts where users expect passive lookup behavior, increasing the chance of unsafe tool selection and accidental state-changing flows.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The Codex/OpenClaw routing files explicitly advertise transaction status and order history under the trade skill, despite the metadata saying the skill executes on-chain transactions and is not for read-only lookups. In agent environments, this kind of scope drift is dangerous because it trains the host tool to route benign-seeming requests into a high-risk execution skill.

Description-Behavior Mismatch

High
Confidence
89% confidence
Finding
The documented behavior materially expands the skill beyond a narrow trade-execution role into credential provisioning, persistent config management, and read-only account/history features. This broader capability increases attack surface and user surprise, making it easier for a trading skill to access or retain sensitive material unrelated to a single requested swap.

Description-Behavior Mismatch

High
Confidence
84% confidence
Finding
The manifest advertises cross-chain bridge support, but the instructions later force rejection of cross-chain swaps. This inconsistency can misroute users into a skill under false expectations, which is dangerous in a financial context because users may expose credentials or transaction intent to a tool that cannot safely perform the advertised operation.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs automatic creation of a persistent home-directory config file containing API credentials, including built-in default credentials hardcoded in the documentation. Storing secrets outside the workspace and without explicit informed consent creates durable secret material and can silently enroll users into shared credentials they did not choose.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
The documentation directs the agent to obtain private keys from users, file paths, or workspace files for signing. That is an extremely sensitive capability unrelated to normal assistant operation and creates a direct path to wallet compromise and irreversible asset theft if the key is mishandled, logged, or exfiltrated.

Intent-Code Divergence

Critical
Confidence
97% confidence
Finding
The document claims the skill does not manage private keys, then immediately instructs the agent to collect and use them for signing. This contradiction is a red flag because it disguises a highly sensitive capability behind reassuring language, increasing the chance that users trust and comply with dangerous prompts.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The shared instructions go beyond trade execution by directing the agent to provision, persist, verify, update, and roll back API credentials. That materially expands the skill's authority from transaction execution into secret management, increasing the chance of unauthorized credential handling, accidental overwrite of user configuration, and cross-workspace secret exposure.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documentation broadens a trade-execution skill into wallet-address derivation and private-key handling workflows, which materially increases the skill’s exposure to secrets. In a skill whose core purpose is executing signed blockchain trades, adding instructions to collect and process private keys creates unnecessary credential-handling behavior and enlarges the attack surface.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guidance explicitly tells the agent to obtain private keys from file paths, keystores, .env files, or existing workspace files. This is highly dangerous because it encourages the agent to access and process the user’s most sensitive credentials through natural-language instructions, creating a direct path to credential exposure or misuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The wrapper accepts any caller-supplied action string and forwards it directly to the Gate DEX OpenAPI, so it does not enforce the manifest's claimed scope of state-changing trade execution only. In this skill context, that mismatch is security-relevant because an agent can invoke unintended endpoints, including read-only or other API operations outside the approved capability boundary, undermining user trust, policy enforcement, and least-privilege assumptions.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The module documentation explicitly says the LLM only needs to provide action and params and includes examples for quote and token-info operations, which contradict the skill's stated execution-only purpose. In an agentic system, misleading docs are dangerous because they shape how the model uses the tool, encouraging invocation of out-of-scope endpoints and bypassing the intended safety boundary.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The tool explicitly accepts an MCP token and forwards it directly as an HTTP Authorization header, giving the skill the ability to handle and transmit bearer-like credentials. In a trade-execution skill, this expands capability from transaction building into secret handling and creates risk of token misuse, leakage through logs/process arguments, or reuse against other backend APIs if the token is overprivileged.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger keywords are broad enough to match common conversational requests such as buy, sell, trade, or exchange, which can cause an assistant to invoke a state-changing trading skill too eagerly. In this skill's context, accidental routing is particularly dangerous because the capability executes on-chain swaps and cross-chain operations affecting user assets, so misclassification can lead to unintended transaction preparation or execution flows.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes swap and cross-chain trading execution without a prominent warning that these actions can irreversibly move or lose user funds through slippage, bridging failures, wrong token selection, or signing mistakes. Because this is an execution skill rather than a read-only skill, the missing risk disclosure makes unsafe user activation and underinformed consent more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The installer writes persistent configuration under the user's home directory and modifies AI tool configuration without an upfront warning or explicit consent flow describing what files will be changed. In a security-sensitive trading skill, silent config mutation is risky because it can alter agent routing and introduce remote transaction-capable integrations the user did not knowingly authorize.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Cursor MCP configuration is overwritten after making a backup, but the script does not ask for confirmation or merge settings. This can disrupt existing trusted MCP servers, replace prior routing behavior, and silently prioritize a remote trading endpoint inside a developer tool.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger definition is intentionally broad for a transaction-execution skill and can match common user language like "buy", "sell", or "swap" without strong scoping to wallet/trade intent. In this context, accidental activation is dangerous because this skill progresses toward on-chain state-changing actions, so misrouting a benign query into an execution flow could lead to unwanted quote generation, signing prompts, or user confusion around real fund movement.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger scenarios overlap heavily with natural conversation and cross-skill handoff phrasing, making activation boundaries unreliable. Because this skill can ultimately prepare, sign, and submit blockchain transactions, ambiguity at routing time materially increases the risk of unintended execution-oriented workflow entry for users who only wanted information or planning assistance.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger set includes very broad terms like swap, exchange, buy, sell, quote, and gas price, which can match ordinary conversation. In a transaction-executing skill, accidental invocation is risky because it can start credential checks, config creation, or trading workflows without the user intentionally selecting this high-impact capability.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The invocation scenarios are generic and insufficiently constrained for a skill that can progress toward signed blockchain transactions. Ambiguous routing increases the chance of unintended execution flow and exposure of wallet or API-related information in response to general market or trading questions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs creation of a credential file with built-in shared credentials but does not present an up-front, meaningful warning about using shared secrets or persisting them in the user's home directory. In a financial tool, silently normalizing shared credentials can expose users to rate limits, attribution ambiguity, or abuse tied to a common keyset.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The file instructs creation of a persistent credentials file containing a hardcoded API key and secret, with no meaningful upfront consent flow or warning about storing secrets on disk. Embedding default credentials in distributed skill content also risks broad credential reuse, abuse by third parties, and silent use of shared accounts for user actions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.