gh-aw-mcp-gateway

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly supports configuring HTTP backends (see "HTTP Backend" / "HTTP Transport" and examples like the "remote-mcp" JSON/TOML entries with a "url") and the gateway calls tools/list and forwards JSON-RPC responses from those external MCP servers during initialization and request handling, so untrusted third-party MCP endpoints can supply tool descriptions/responses that the agent reads and that can materially change what tools/actions the agent uses.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs/pulls container images at runtime (e.g., ghcr.io/github/gh-aw-mcpg:latest and ghcr.io/github/github-mcp-server:latest) which fetch and execute remote code as required backend MCP servers, so these URLs are runtime dependencies that execute remote code.