Back to skill

Security audit

Gate DEX Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a real wallet skill, but it grants broad financial, credential, installer, and agent-routing authority that goes beyond a simple wallet-management description.

Install only if you intend to enable a broad Gate DEX wallet/CLI suite, not just balance checks. Review the installer changes first, avoid configuring OpenAPI keys unless you need hybrid swap, verify every transaction/payment/approval before confirming, and treat the local tx-checkin binary, npm CLI, Gate MCP endpoint, OAuth session files, and AGENTS.md/CLAUDE.md routing edits as persistent trusted components.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill clearly directs terminal and CLI execution, including use of prebuilt binaries and MCP setup commands, yet it declares no explicit permissions for shell-capable behavior. That mismatch weakens the trust boundary: a user or host may not realize the skill can drive local command execution and file/system interactions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The file presents itself as a lightweight wallet-management router, but the described behavior from analysis includes local environment configuration, editing developer tool config files, installing packages, and handling credentials for external services. This description-behavior mismatch is dangerous because users may grant trust for wallet actions without realizing the skill can alter local tooling, persist secrets, and expand its operational footprint.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The MCP discovery probe explicitly looks for dex_tx_quote and dex_tx_swap even though the skill states it must not handle swap execution. Discovering and validating trade-capable tools unnecessarily broadens reachable functionality and creates confusion about whether swap operations are in scope.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Instructing the agent to discover swap/trade capabilities is unjustified for a wallet-management skill and increases the chance of cross-skill capability bleed. In a financial context, that expanded discovery surface is more dangerous because it can lead to unintended invocation of higher-risk trading functions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer for a wallet-focused skill also installs and routes market-data and trading skills, expanding the trusted capability set beyond the declared scope. This violates least privilege and can mislead users into enabling higher-risk functions such as trading or swap-related workflows they did not intend to install.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer provisions OpenAPI API/secret keys and advertises `openapi-swap` even though the skill metadata explicitly says the skill should not be used for token swap execution. That mismatch expands the skill's operational scope into sensitive trading functionality, increasing the chance of unauthorized or misleading use of privileged credentials.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script silently modifies `CLAUDE.md` and `AGENTS.md`, which can influence agent routing and future tool-selection behavior beyond simple CLI installation. For a wallet-management installer, changing workspace policy/routing files is an unnecessary privilege expansion that can steer downstream agent actions without informed user approval.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The CLI reference materially expands the skill from wallet/account management into swap execution and market-data operations, directly conflicting with the parent skill boundary. In an agent setting, this kind of scope drift is dangerous because routing and permission decisions may rely on the top-level description, causing the agent to invoke higher-risk fund-moving or trading functions under a less scrutinized skill.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented capability boundaries explicitly include swap, market-data, and raw chain/RPC operations, which exceed the stated wallet-management-only purpose. This increases the chance that an agent will perform sensitive or unsafe actions without the stricter controls that should accompany broader trading and low-level blockchain access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Providing raw JSON-RPC capability gives the agent a generic low-level interface to blockchain nodes, which can bypass higher-level safety checks and intended workflow constraints. For a wallet-management skill, this is unnecessarily powerful and can enable unreviewed state queries, contract calls, or unsafe transaction-related operations outside the documented safe paths.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The market-data command set is extensive and not justified by the parent skill's declared purpose. Overbroad functionality increases attack surface and misrouting risk, especially when users ask general token questions and the agent may enter a module that also contains fund-moving and signing workflows.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill declares that wallet operations are triggered when such operations are merely 'mentioned in AI platform conversations,' which is overly broad for a high-risk capability involving authentication, transfers, signing, and DApp interaction. In a wallet context, accidental invocation can route ordinary discussion into privileged tooling and increase the chance of unintended auth flows, transaction preparation, or sensitive data exchange.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed trigger keywords include generic phrases like 'login', 'logout', 'transfer', 'approve', and 'check balance' that commonly appear in normal conversation. Because this skill can access wallet identities, balances, signing, and payment flows, broad keyword matching materially raises the risk of accidental invocation and unsafe transitions into sensitive operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script overwrites MCP configuration and deletes existing skill directories in the user's home directory without an explicit warning, backup, or confirmation. That can destroy local customizations or replace trusted content with repository-provided material, creating persistence and integrity risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prompts for API and secret keys, then stores them in plaintext JSON on disk without clearly warning the user before collection. Even with `chmod 600`, plaintext local storage increases exposure through backups, local compromise, shell observation, or accidental disclosure, especially because these are high-value wallet/trading credentials.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script appends content to `CLAUDE.md` or `AGENTS.md` with no prior warning or confirmation, causing persistent modification of project governance or agent-routing files. Silent persistence in these files is risky because it alters future agent behavior in a way users may not notice during a routine installer run.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using broad triggers like "login," "logout," and "disconnect" increases the chance the auth skill will activate on ambiguous everyday language or in the wrong context. In an authentication skill, unintended invocation can prompt external OAuth flows, revoke sessions, or alter stored auth state when the user did not intend to authenticate, creating account confusion and possible denial of service to the current session.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The skill handles Google and Gate OAuth, token refresh, and internal storage of session tokens, but it does not clearly disclose that user information is shared with external identity providers and that tokens are retained internally for subsequent actions. In a wallet context, weak disclosure can undermine informed consent and lead users to authorize sensitive account access without understanding persistence, account linkage, or downstream use across modules.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation triggers are broad enough to match generic phrases like command line or automation context, which can cause over-routing into a powerful wallet skill. In agent systems, imprecise triggers are risky because they may invoke capabilities involving credentials, balances, transfers, or swaps when the user's intent was only loosely related.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| `--to` | Yes | Target token address |
| `--amount` | Yes | Human-readable amount |
| `--slippage` | No | Default 0.03 (3%) |
| `-y, --yes` | No | Skip confirmation (**REQUIRED** for agent) |

The command handles the entire flow automatically:
1. Connect MCP, get wallet address
Confidence
91% confidence
Finding
Skip confirmation

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
1. Connect MCP, get wallet address
2. Call OpenAPI quote, display for user
3. Chain-specific execution:
   - **EVM**: Auto-approve if needed -> re-quote -> build -> RLP encode EIP-1559 -> MCP sign -> submit
   - **Solana**: Re-quote -> build -> base64->base58 conversion -> MCP sign -> submit
4. Poll order status
Confidence
94% confidence
Finding
Auto-approve

Session Persistence

Medium
Category
Rogue Agent
Content
npm install -g gate-wallet-cli

# 2. Add OpenAPI credentials (required for hybrid swap)
mkdir -p ~/.gate-dex-openapi
cat > ~/.gate-dex-openapi/config.json << 'EOF'
{ "api_key": "<YOUR_AK>", "secret_key": "<YOUR_SK>" }
EOF
Confidence
83% confidence
Finding
mkdir -p ~/.gate-dex-openapi cat > ~/.gate-dex-openapi/config.json << 'EOF' { "api_key": "<YOUR_AK>", "secret_key": "<YOUR_SK>" } EOF # 3. Login to MCP (required for most commands) gate-wallet login

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.