awf-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md and README explicitly instruct fetching and executing content from public sites (e.g., curl https://raw.githubusercontent.com/... in install.sh / Quick Start) and show workflows that run agents which access public, untrusted domains such as arxiv.org, api.github.com, and mcp.tavily.com (e.g., "Search arxiv for recent AI papers"), meaning the agent is expected to fetch and act on third-party web content as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill's installation explicitly instructs running remote code at runtime via "curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash", which fetches and executes a script from raw.githubusercontent.com and is a required dependency for using the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill repeatedly instructs use of sudo and host-level operations (curl | sudo bash install, iptables DOCKER-USER enforcement, chroot access to host binaries, systemctl/docker commands, mounting volumes) which explicitly require elevated privileges and modify host state, so it pushes the agent to perform privileged system changes.