Skills
skills/hack23/riksdagsmonitor/gh-aw-mcp-gateway/Gen Agent Trust Hub

gh-aw-mcp-gateway

Warn

Audited by Gen Agent Trust Hub on Mar 4, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The documentation encourages mounting the host's Docker daemon socket (/var/run/docker.sock) into the gateway container. This provides the containerized application with full control over the host Docker service, representing a significant privilege escalation vector that can lead to host compromise.
  • [COMMAND_EXECUTION]: The gateway's configuration format (TOML and JSON) supports the execution of arbitrary system commands, arguments, and entrypoints to spawn backend MCP servers. This capability allows for command injection or remote code execution if the configuration data originates from an untrusted source or is dynamically manipulated by an agent.
  • [COMMAND_EXECUTION]: Troubleshooting instructions recommend the use of chmod 777 on log directories. This practice creates world-writable permissions, violating the principle of least privilege and potentially allowing unauthorized users to modify or delete logs.
  • [EXTERNAL_DOWNLOADS]: The skill fetches and executes Docker images from GitHub's Container Registry (ghcr.io/github/*). These references target a well-known and trusted organization and are documented as part of the tool's standard operation.
  • [PROMPT_INJECTION]: The gateway manages data flows between AI agents and backend MCP servers, creating a surface for indirect prompt injection.
  • Ingestion points: Data enters the agent's context through JSON-RPC responses from backend MCP servers (e.g., github.log, rpc-messages.jsonl) routed via the /mcp endpoints.
  • Boundary markers: The documentation references a 'Layer 3: Plan-Level Trust' model and the 'SafeOutputs' subsystem for result buffering, though the gateway primarily acts as a transparent proxy for protocol traffic.
  • Capability inventory: The gateway spawns Docker containers, maps host filesystem volumes, and executes shell commands defined in the server configuration.
  • Sanitization: The skill highlights 'Schema normalization' to ensure JSON structural integrity and 'SafeOutputs' for deterministic filtering of write operations at the workflow level.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 4, 2026, 11:08 PM