gate-mcp-installer

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Gate MCP installer that makes expected local setup changes, but users should understand it installs a global CLI and saves an external MCP server configuration.

Install only if you trust the mcporter npm package and Gate MCP service. Expect this skill to install a global command-line tool and save a persistent MCP server entry that can be used by OpenClaw; remove that configuration if you no longer want requests routed to Gate MCP.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The skill instructs users to run an installation script and perform global npm installation and persistent home-scope configuration changes without any warning, confirmation, or explanation of system impact. In an agent skill context, this is dangerous because it normalizes executing local scripts and modifying the user's environment, increasing the chance of unintended privilege, persistence, or supply-chain exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal