gh-aw-firewall

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly routes agent network requests through a Squid proxy and API sidecar (see "Standard Mode" and "API Proxy Sidecar" examples in SKILL.md) allowing the agent to fetch content from external domains (e.g., api.github.com, api.openai.com, raw.githubusercontent.com) and the "SSL Bump (HTTPS Inspection)" section shows HTTPS content/path inspection—so untrusted third‑party responses can be read by the agent and materially influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The documentation and CI examples explicitly fetch-and-execute a remote installer at runtime via "curl -sSL https://raw.githubusercontent.com/github/gh-aw-firewall/main/install.sh | sudo bash", which runs remote code as a required install/runtime step and therefore presents a high-risk external dependency.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill contains explicit privileged host-level operations (curl | sudo bash install, sudo iptables rules, editing /etc/squid configs and CA certs, chroot/host-binary usage, global npm installs and Docker host networking changes) that modify system state and require/encourage elevated privileges.